Unpacking the Volt Typhoon Hack

To paraphrase Benjamin Franklin, nothing is certain except death, taxes, and the fact that threat actors never rest. This means the defenders must always be vigilant and ready for battle. One such instance of this ongoing battle happened in May of this year, when a state-sponsored hacking group targeted U.S.-based critical infrastructure entities.?

Shift in Tactics

For decades, Chinese hackers have been notorious for their large-scale and often clumsy (yet effective) theft of Western trade secrets. However, in recent years, the Chinese have refined their approach, becoming subtler and more strategic. This evolution became glaringly apparent last month when news broke of a widespread security breach of US critical infrastructure, particularly around the strategically crucial island of Guam. This incident marks a significant shift in Beijing's cyber tactics, moving from the wholesale theft of Western trade secrets to the strategic preparation of the cyber battlefield for potential future conflicts.

This shift in tactics is not a harbinger of an impending apocalypse or a major breakdown in the increasingly fraught relationship between the US and China. Instead, it serves as a sobering sign of a new normal, where both superpowers are using their cyber capabilities to lay the groundwork for a potential open conflict.

The Volt Typhoon Hack

Microsoft was the first organization to publicly reveal the infrastructure hack, attributing it to a Chinese group they dubbed "Volt Typhoon." Microsoft assessed with moderate confidence that this Volt Typhoon campaign is pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.

This announcement was followed by a multinational warning issued not only by the American NSA, FBI, and Department of Homeland Security but also by Australia, Britain, Canada, and New Zealand, the other members of the "Five Eyes" intelligence sharing network.

Implications

While the Volt Typhoon hack is a cause for concern, it does not necessarily presage an imminent attack. This kind of probing of critical infrastructure happens fairly regularly and does not mean an incident is imminent—or ever going to happen, in fact. It is more about preparing for a potential conflict than planning an immediate attack.

However, the fact that malicious actors from the People's Republic of China (PRC) are on any critical infrastructure is unacceptable. According to the NSA’s Rob Joyce, the PRC's goal is to develop capabilities to disrupt critical infrastructure in the event of a future conflict, and this hack represents a serious set of events that yields no intelligence value.

Techniques

Volt Typhoon employed a technique known as "living off the land" that takes more time and effort for the hacker but is also much harder to detect. Instead of gaining access to a target network and swiftly uploading malware, Volt Typhoon lurked on the network, using only the existing software tools already installed by legitimate users. This approach allows the intruders to maintain a low profile and increase their ability to evade detection.

The Way Forward

The Volt Typhoon hack serves as a stark reminder of the evolving nature of cyber threats and the need for robust cybersecurity measures. It underscores the importance of continuous vigilance, the development of advanced detection techniques, and the implementation of effective defense strategies.

As tensions between superpowers rise, so too does the sophistication of their cyber tactics. The Volt Typhoon hack is a testament to this reality, and it is a call to action for all stakeholders in the cybersecurity ecosystem to stay vigilant, stay educated, and be prepared for the evolving threats that lie ahead.