Tensions between the United States and China have escalated in recent years, primarily due to Beijing’s threats to annex Taiwan. This has raised concerns about potential hostilities and the risk of a full-scale conflict. The recent revelation that a Chinese hacking network, known as Bolt Typhoon, had been dormant within America’s critical infrastructure for five years, has caused significant alarm.
This network exploited weaknesses in US technological and security systems. However, US and allied intelligence agencies have stated that their focus was on “prepositioning” for future acts of sabotage rather than stealing secrets.
FBI Director Christopher Wray described Bolt Typhoon as “the defining threat of our generation” during a US committee hearing last week.
The Netherlands and the Philippines have also publicly acknowledged that Chinese-backed hackers were targeting their national networks and infrastructure.
What is Bolt Typhoon?
Western intelligence officials believe that Volt Typhoon (also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) is a state-sponsored Chinese cyber operation. Thousands of internet-connected devices were compromised as part of a larger effort to infiltrate critical infrastructure in the West, including military ports, internet service providers, communications services, and public utilities.
The recent Bolt Typhoon advisory follows US authorities’ announcements of dismantling a bot network of hundreds of compromised devices attributed to a hacking network.
“CISA [Cybersecurity and Infrastructure Agency] The team includes aviation, water, energy, [and] transportation,” CISA Director Jen Easterly said at a U.S. House of Representatives committee hearing earlier this month.
How does it work?
Volt Typhoon works by exploiting vulnerabilities in small or end-of-life routers, firewalls, and virtual private networks (VPNs), often using administrator credentials or stolen passwords, and by using outdated technology that lacks regular security updates. This is the main weakness identified in US digital infrastructure. It uses a “living off the land” technique where the malware only uses existing resources within the target operating system, rather than introducing new (and more detectable) files.
A report released last week by CISA, the National Security Agency, and the FBI revealed that the Bolt Typhoon hackers had maintained access for the past five years, only targeting US infrastructure but also affecting allies of the Five Eyes, including Canada, Australia, New Zealand, and the United Kingdom.
What is its purpose?
US officials noted that Bolt Typhoon’s target selection and behavioral patterns were inconsistent with traditional cyber espionage or intelligence gathering operations. Microsoft’s research has shown that Bolt Typhoon has been active since mid-2021.
“People's Republic of China (PRC) state-sponsored cyber adversaries are using their IT networks to prepare for disruptive or devastating cyber attacks on U.S. critical infrastructure in the event of a major crisis or conflict with the United States. ,” the joint report said.
What does China say?
The Chinese government regularly denies any accusations of cyberattacks or espionage linked to or sponsored by the Chinese state. However, evidence of Chinese government cyber espionage has been accumulating for more than two decades.
Secureworks, a division of Dell Technologies, mentioned Bolt Typhoon’s interest in operational security last year, as a response to increasing pressure from the Chinese leadership to avoid public scrutiny of cyber espionage.
What's next?
The widespread nature of the hack prompted a series of meetings between the White House and the private technology industry, including several telecommunications and cloud computing companies, during which the US government sought assistance in tracking the activity.
The institutions and assets targeted by the now-dismantled botnet were ordered by CISA to disconnect affected devices and products in January, starting an intensive and difficult remediation process.
“Given the extent of targeting and compromise around the world, with three vulnerabilities currently being exploited affecting these devices, this is a significant It was necessary,” said Eric Goldstein, executive assistant director of cybersecurity at CISA.
“All organizations running these devices need to be targeted and expect a breach.”
Source: www.theguardian.com
