Chinese hackers seeking ways to cripple infrastructure ‘likely to have targeted UK operators’
British companies and infrastructure operators are “likely” to have been targeted by a state-sponsored Chinese hacking group which is believed to be seeking to cripple vital services in the event of a conflict between Beijing and the West, experts have warned.
In an unusual move, Britain’s cyber security intelligence agency this week released a joint statement with key allies detailing the existence of Volt Typhoon – a Beijing-backed hacker operation primarily targeting America.
It is claimed to have found a way of gaining long-term access to key computer systems, including those used to run critical infrastructure, without being detected.
American officials have warned that Washington and its allies believe China has “almost certainly” acquired an ability to launch cyberattacks capable of disrupting assets including rail networks and oil or gas pipelines.
Microsoft, whose Windows system is targeted by the Volt Typhoon hack, said it believed the alleged cyber operation had been running since 2021 and is aimed at hindering military communications between the United States and Asia during “future crises” – a reference to escalating tensions between China and the West over Taiwan. The tech giant said targeted sectors included utilities, communications, shipping companies and government bodies.
In a joint statement as part of the Five Eyes intelligence-sharing alliance, the UK’s National Cyber Security Centre (NCSC) – the part of GCHQ which deals with threats to digital infrastructure – said it believed the techniques deployed by the Volt Typhoon group have the potential to be used “worldwide” against other targets.
The Five Eyes nations are the UK, USA, Canada, Australia and New Zealand,
But experts went further, telling i that it is “likely” Volt Typhoon has already targeted UK organisations, including those with links to American companies whose systems may have already been compromised and therefore make easier targets.
Toby Lewis, global head of threat analysis at cybersecurity company Darktrace, said Volt Typhoon could have widened its sphere of operations to include Britain. He told i: “It is feasible that the same group which targets US entities might target UK organisations, for example US entities with a UK presence.”
Another analyst, who declined to be named because his organisation works with UK government bodies, said: “If a state-sponsored actor has secured a route into the critical infrastructure systems of an adversary, then it is probable they will look to deploy that tool with the adversary’s partners. Just as the Royal Navy patrols the South China Sea, so China’s operators will not see much difference between probing US, UK or other Five Eyes cyber assets.”
Officials have warned that the Volt Typhoon attack method is unusually challenging to detect, because the hackers have devised a way of harnessing legitimate “administrator” tools built into the Windows operating system to gather databases and ultimately break the passwords of operators.
These “living-off-the-land” attacks make it difficult to distinguish between the day-to-day acts of an authorised user and an external hacker. Crucially, they also offer a long-term means of entering a computer system which can be activated at a time – potentially far into the future – of the attacker’s choosing.
In a briefing document explaining the methods used by Volt Tyhpoon and how to counter them, the NCSC and its partners warned of the potential for hackers to cause havoc, saying that if they succeeded in obtain certain data files, entire “domains” or groups of users would have to considered “compromised” with hackers even able to create their own accounts on systems.
The 24-page document also warned that the hackers had perfected a way of routing their attacks through devices such as machines used by employees working from home to make detection even more difficult.
American officials said Volt Typhoon appeared to have been initially deployed against a telecoms company in Guam, the Pacific island territory that would act as a major hub for any American military operation to counter a Chinese invasion or blockade of Taiwan.
It is believed the hacking collective has since widened its sphere of activity to the US mainland and beyond, targeting a range of industries and sectors. Defence experts have long warned that any future confrontation between the world’s most advanced military powers is certain to include the deployment of offensive cyber tools designed to knock out communications and hamper logistics.
In a briefing this week, the US State Department said it had been assessed that “China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services, including against oil and gas pipelines and rail systems.”
The NCSC said it was asking organisations to be alert to the methods ascribed to Volt Typhoon. The National Security Agency – the US equivalent of GCHQ – said it had been alerted to at least one further hacking victim since details of the hackig group were released.
China denied that it was spying on Western targets, accusing the Five Eyes alliance of a “collective disinformation campaign”. A Chinese foreign ministry spokesperson said: “The United States is the empire of hacking.”
