Global Courant 2023-05-26 22:06:23
This week, the Five Eyes Alliance – an intelligence alliance between Australia, the United Kingdom, Canada, New Zealand and the United States – announced his research in a Chinese-backed threat targeting US infrastructure.
Using stealth techniques, the attacker – referred to as “Volt Typhoon” – leveraged existing resources in compromised networks in a technique called “life of the country.”
Microsoft has made a competitor announcementstating that the fact that the attackers were targeting Guam told of China’s plans to potentially disrupt critical communications infrastructure between the US and the Asian region in the future.
This is hot on the heels of news in April of a North Korean supply chain attack on Asia-Pacific telecommunications provider 3CX. In this case, hackers gained access to an employee’s computer using a compromised desktop app for Windows and a compromised signed software installation package.
Volt Typhoon’s announcement has prompted a rare admission by the US National Security Agency that Australia and other Five Eyes partners are engaged in a targeted search and detection plan to expose China’s clandestine cyber operations.
Such public admissions from the Five Eyes alliance are rare. Behind the scenes, however, this network is constantly working to eliminate foreign opponents. And it’s no easy feat.
Let’s take a look at the events leading up to Volt Typhoon – and more generally how this secretive transnational alliance works.
Exposing Volt Typhoon
Volt Typhoon is an “advanced persistent threat group” that has been active since at least mid-2021. It is believed to be sponsored by the Chinese government and targets critical infrastructure organizations in the US.
The group has focused much of its efforts on Guam. Located in the Western Pacific, this U.S. island territory is home to a significant and growing military presence, including the U.S. Air Force, a Marine Corps contingent, and the U.S. Navy’s nuclear-armed submarines.
Air Force F-22 Raptors and a C-130J Hercules taxi on the runway before takeoff at Andersen Air Force Base in Guam on July 22, 2021. Photo: Air Force Senior Airman Justin Wynn
It is likely that the Volt Typhoon attackers intended to access networks connected to US critical infrastructure to disrupt communications, command and control systems and maintain a persistent presence on the networks. The latter tactic could allow China to influence operations during a potential conflict in the South China Sea.
According to official statements, Australia was not directly affected by Volt Typhoon. Nevertheless, it would be a primary target for similar operations in the event of a conflict.
As for how Volt Typhoon was caught, it has not been disclosed. But Microsoft documents highlight previous observations of the threat actor attempting to dump credentials and stolen data from the victim organization. This likely led to the discovery of compromised networks and devices.
‘Life of the country’
The hackers initially gained access to networks through Internet-facing Fortinet FortiGuard devices, such as routers. Once inside, they practiced a technique called “living off the land.”
Attackers using the technique rely on using the resources already in the exploited system, rather than calling in external tools. For example, they will typically use applications such as PowerShell (a management tool from Microsoft) and Windows Management Instrumentation to gain access data and network functions.
By using internal resources, attackers can bypass protections that warn organizations of unauthorized access to their networks. Since no malicious software is used, the attacker appears as a legitimate user. As such, the life of the land allows for lateral movement within the network and provides the opportunity for a sustained, long-lasting attack.
The simultaneous announcements from the Five Eyes partners highlight the seriousness of the Volt Typhoon compromise. This incident will likely serve as a warning to other countries in the Asia-Pacific region.
Who are the five eyes?
Formed in 1955The Five Eyes Alliance is an intelligence sharing partnership comprising Australia, Canada, New Zealand, the UK and the US.
The alliance was formed after World War II to counter the possible influence of the Soviet Union. It has a specific focus on Signals Intelligence. This includes intercepting and analyzing signals such as radio, satellite and internet communications.
The members share information and access to their respective intelligence agencies and work together to collect and analyze vast amounts of global communications data. A Five Eyes operation may also contain information provided by non-member states and the private sector.
Member States have recently expressed concern about China’s de facto military control over the South China Seaits suppression democracy in Hong Kong, and threatening movements towards Taiwan. The latest public announcement of China’s cyber operations no doubt serves as a warning that Western countries are paying strict attention to their critical infrastructure – and can respond to China’s digital aggression.
In 2019 it was Australia focused by Chinese state-backed threat actors who have gained unauthorized access to Parliament House’s computer network. Indeed, there are indications that China is engaged in a concerted action effort to aim Australia’s public and private networks.
A handout photograph taken and received from the Australian Department of Defense on 10 April 2021 shows members of the Australian Federation Guard firing ceremonial M2A2 howitzer guns during a 41-gun salute at Parliament House in Canberra in honor of the passing of British Prince Philip. Photo by Kieren Whitely / Australian Department of Defence
The Five Eyes alliance may be one of the few deterrents we have against long-term, sustained attacks on our critical infrastructure.
Dennis B. Desmond is a lecturer in cyber intelligence and cybercrime research at the University of the Sunshine Coast.
This article has been republished from The conversation under a Creative Commons license. Read the original article.
Similar:
Loading…
