The secretive alliance of five countries has broken up a Chinese-backed hacking group in an unusually public way.
This week, the alliance Five Eyes (Five Eyes, the intelligence pact between Australia, United Kingdom, Canada, New Zealand and the United States) announced its investigation into a threat of Chinese origin targeting US infrastructure.
Using stealth techniques, the attacker—called “Volt Typhoon”- exploited the existing resources in the compromised networks, in a technique called “living off the land”.
Microsoft made a simultaneous announcement, stating that the fact that the attackers were targeting Guam was revealing of the China’s plans to potentially disrupt critical communications infrastructure between the United States and the Asian region in the future.
This attack comes shortly after the news, in April, of a North Korean attack on the supply chain of the telecommunications provider of Asia-Pacific 3CX. In this case, hackers accessed an employee’s computer using a compromised Windows desktop application and signed software installation package.
The Volt Typhoon announcement has led the US National Security Agency to admit that Australia and other partners in theThe Five Eyes are involved in a targeted search and detection scheme to uncover China’s clandestine cyber operations.
These kinds of public statements by the Five Eyes alliance are few and far between. Yet behind the curtain, this network is persistently engaged in trying to bring down foreign adversaries. And that’s not an easy task.
Let’s take a look at the events leading up to Volt Typhoon and more generally at how this secret transnational alliance operates.
Discovering Volt Typhoon
Volt Typhoon is an “advanced persistent threat group” that has been active since at least mid-2021. It is believed to be it is sponsored by the Chinese government and targets critical infrastructure organizations in the United States.
The group has focused much of its efforts on Guam. Located in the western Pacific, this US island territory is home to a large and growing US military presence, including the Air Force, a contingent of Marines and nuclear-capable submarines.
The Volt Typhoon attackers likely sought to access networks connected to critical US infrastructure to disrupt communications and command and control systems and maintain a persistent presence on the networks. This last tactic it would allow Beijing to influence operations during a possible conflict in the South China Sea.
Australia was not directly affected by Volt Typhoon, according to official statements. However, it would be one of the main targets of similar operations in the event of a conflict.
It has not been revealed how Volt Typhoon was captured. But the Microsoft documents highlight previous observations of the threat actor attempting to dump stolen credentials and data from the victim organization. This likely led to the discovery of compromised networks and devices.
Living off the grid
Hackers initially accessed the networks through Internet-facing Fortinet FortiGuard devices, such as routers. Once inside, they employed a technique called “living off the grid.”
This is when the attackers they are based on the use of the resources already contained in the exploited system, instead of bringing external tools. For example, they often use applications such as PowerShell (a Microsoft management program) and Windows Management Instrumentation to access data and network functions.
By using internal resources, attackers can bypass protections that alert organizations from unauthorized access to their networks. Since they do not use malicious software, they look like legitimate users. As such, living off the grid allows for lateral movement within the grid and offers the opportunity for a long-term persistent attack.
Simultaneous announcements from the Five Eyes’ partners point to the seriousness of Volt Typhoon’s commitment. It is likely to serve as a warning to other nations in the Asia-Pacific region.
Who are the Five Eyes
Formed in 1955, the alliance of Five Eyes is an intelligence sharing association consisting of Australia, Canada, New Zealand, the United Kingdom and the United States.
The alliance it was formed after World War II to counter the possible influence of the Soviet Union. It focuses specifically on signal intelligence. It is about intercepting and analyzing signals such as radio, satellite and Internet communications.
The members share information and access to their respective intelligence agencies signals, and collaborate to collect and analyze vast amounts of global communications data. A Five Eyes operation may also include intelligence provided by non-member countries and the private sector.
Member countries have recently raised concerns about China’s de facto military control over the South China Sea, its suppression of democracy in Hong Kong, and its threats against Taiwan. The latest public announcement of China’s cyber operations no doubt serves as a warning that Western nations are paying strict attention to their critical infrastructure – and may respond to China’s digital aggression.
In 2019, Australia was targeted by Chinese state-backed threat actors who gained unauthorized access to the Parliament House computer network. In fact, there is evidence that China is engaged in a concerted effort to attack Australia’s public and private networks.
The Five Eyes alliance may well be one of the only deterrents against long-term, persistent attacks on critical infrastructure.
*Article originally published by The Conversation- Dennis B. Desmond is Professor at the University of the Sunshine Coast and Researcher on Cyber Intelligence and Cybercrime.
The United States and Microsoft denounced a cyberattack by a group sponsored by the Chinese regime
South Korea denounced that Chinese hackers attacked the websites of several academic and research institutions.
Hackers linked to the Chinese regime stole $20 million in the US in a COVID aid fraud