US hunts Chinese malware staged to interfere with US military operations.
N2K logoJul 29, 2023

Chinese cyber operations move from espionage to sabotage. So far it's staging, but US officials are concerned.

US hunts Chinese malware staged to interfere with US military operations.

US officials at the end of last week began to brief members of Congress on a Chinese cyber campaign that's been staging malware in US networks for over a year. The campaign represents an escalatory departure from familiar Chinese cyberespionage in that the malware is judged to have been designed for disruption, not just collection.

First noticed in Guam, and then named "Volt Typhoon."

The effort was publicly noted in May of this year, when Microsoft observed activity it attributed to China in the US Territory of Guam. Redmond called the activity "Volt Typhoon," and observers called it out at the time as "battlespace preparation." The intelligence services of the Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States) issued a joint advisory about Volt Typhoon, and that collaborative warning suggests both the seriousness and the scope The CyberWire's Control Loop wrote, shortly after the activity was described, "The quiet establishment of persistence in any critical infrastructure network is a matter of concern. Whether Volt Typhoon is in fact engaged in preparing the battlespace for an operation against Taiwan, or whether it’s simply conducting a trial, in any hybrid war the target lists will surely include control systems."

The US hunts Chinese malware staged in US networks.

On Saturday the New York Times, citing unnamed Administration officials, reported that the US was hunting for disruptive Chinese malware that's been quietly staged in US systems. The Times' report is the result of interviews conducted over the past two months. The consensus among both government and industry experts is that Volt Typhoon precedes Microsoft's report "by at least a year." Investigation has shown that the Chinese campaign is more widespread than initially believed, and that the US work to find and "eradicate" the malware has been in progress for some time. The infestation extends beyond telecommunication systems and is, geographically global, not confined to Guam or even to US territory, but there do seem to be higher concentrations of the malware in the vicinity of US military installations. Observers speculate that China is hedging against any US intervention in a Chinese invasion of Taiwan. The Times reports that there's disagreement within the Administration as to whether the malware is designed narrowly to cripple US military operations, or whether wider spread disruption of US society would be the goal.

The National Security Council said, in a statement quoted by the Times, "“The Biden administration is working relentlessly to defend the United States from any disruptions to our critical infrastructure, including by coordinating interagency efforts to protect water systems, pipelines, rail and aviation systems, among others."

China denies any such cyber activity against US targets.

China's embassy in Washington issued a predictable denial when asked about the report. “We have always firmly opposed and cracked down on all forms of cyberattacking in accordance with the law,” an embassy spokesman told the Times, adding familiar denunciations of the US for both hacking and defamation. “The Chinese government agencies face numerous cyberattacks every day, most of which come from sources in the U.S., We hope relevant parties will stop smearing China with groundless accusations.”

Industry reaction to a threat to critical infrastructure.

The Five Eyes joint advisory described Volt Typhoon's ability to "live off the land" as one of its distinctive capabilities. "One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives," the advisory said. "This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations."

Joe Saunders, CEO of RunSafe Security, sees the incident as reason to address memory protection. "The threat of a ticking time bomb like this malware means we need to double-down our efforts to achieve not just memory safety in software in the long term, but memory protection in software immediately," he wrote. "Otherwise we take the risk of losing our ability to support our warfighters and maintain a normal sense of operation in society."