Microsoft has warned that a state-sponsored Chinese hacking group has compromised “critical” infrastructure in the US in order to disrupt communications between the country and Asia in the event of a crisis.
In a rare announcement about a systems breach, the US technology group said the hackers, codenamed “Volt Typhoon”, have operated since mid-2021. They have been able to infiltrate organisations across industries by exploiting vulnerabilities in a popular cyber security platform called FortiGuard, Microsoft said.
“In this campaign, the affected organisations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors,” Microsoft said. It added that the hacking group’s actions had focused on gathering intelligence and espionage, rather than causing immediate disruption.
It added: “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
On Thursday, the Chinese foreign ministry hit back at the allegations, saying they “lacked evidence” and accused the US of being a “hacker empire”. They added that “the involvement of certain companies” in the warning “shows that the US is expanding channels for disseminating false information”.
Microsoft said it had notified targeted or compromised customers and urged them to close or secure their accounts.
The US and international cyber security authorities issued a joint advisory notice about Volt Typhoon on Wednesday that also warned of Chinese state-sponsored cyber threats.
Rob Joyce, cyber security director of the US National Security Agency, said: “A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defences and leaving no trace behind. That makes it imperative for us to work together to find and remove the actor from our critical networks.”
“Living off the land” refers to cyber attacks that use legitimate tools already installed in a person’s devices to carry out a hack, making it far more difficult to detect than traditional malware attacks that typically require a victim to download files.
John Hultquist, chief analyst at Mandiant Intelligence — a cyber defence service owned by Google — said the Volt Typhoon hack was “aggressive and potentially dangerous”.
“Chinese cyberthreat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyber attacks. As a result, their capability is quite opaque. This disclosure is a rare opportunity to investigate and prepare for this threat.”
Additional reporting by Eleanor Olcott in Hong Kong
