Enlarge image
Tanks on a US pipeline: The report does not make public which companies were affected by the hacker attack
Photo: Jim Lo Scalzo / EPA
After dismantling a large-scale hacking operation in the USA, authorities have revealed details about its scope. Hackers supported by the Chinese state had been hiding in critical US infrastructure for five years. In a joint report, the US secret service NSA and the Federal Police FBI, among others, blame a Chinese group called "Volt Typhoon" for the systematic campaign to infiltrate the infrastructure operators.
The 45-page report, which involved six U.S. security agencies as well as their counterparts from Canada, Britain and Australia, details the scale of the operation. According to the information, the perpetrators had established themselves in networks that control air, rail and car traffic, as well as in companies that operate pipelines, water and wastewater works. However, the investigators do not name the specific companies and facilities affected.
Secretly took control
In recent years there have been repeated urgent warnings about such attacks. Last May, Microsoft announced that members of “Volt Typhoon” had been active in the networks of the strategically important Pacific island of Guam. The attackers are said to have targeted employees of the affected organizations in order to then use their accounts to gain access to the networks and establish themselves there.
Basically, the hackers apparently attached great importance to remaining inconspicuous: instead of installing their own malware, they used the tools that were already installed on the attacked computers, which made detection much more difficult. Using the method called “living off the land,” the attackers gained important accounts and passwords over time and were also able to access surveillance cameras directly. However, they did not cause any direct damage.
Preparation for later sabotage?
The US investigators see this as a bad sign. "We are extremely concerned about the malicious cyber activities of the state-sponsored actor from the People's Republic of China," Eric Goldstein, a senior official at the cybersecurity agency CISA, told Reuters. "Most of the victims we identified have no legitimate espionage value." The US authorities conclude that large-scale acts of sabotage were planned.
According to the now published report, the attackers were fully capable of doing this until US investigators cut off key access to them a week ago and deactivated a botnet that was used for the attacks. Although they were only active in the IT environments of the affected facilities, a move into OT (Operational Technology), which includes the industrial control systems, would probably have been possible.
The major threat is also said to have led to several meetings at the White House in which the government called on companies to work together to determine the extent of the attacks and close avenues for new attempts. China has repeatedly denied being behind such operations in the past.
tmk/Reuters