U.S. agencies and those of America’s closest allies issued a rare joint report advising organizations on how to hunt for signs of intrusion by the same group and how to shore up defenses. The “Five Eyes” intelligence alliance said that facilities in Britain, Canada, Australia and New Zealand could be targeted, as well.
The hacking activity by the group was first detected two years ago, Microsoft and others said. The newest campaign uses compromised devices protected by the cybersecurity firm Fortinet, probably taking advantage of an unpublicized flaw in that company’s software. Microsoft said it has notified those targeted.
Fortinet did not respond to an email seeking comment. The same hacking group has used undisclosed flaws in other gear for previous campaigns, according to Secureworks, including a monitoring service and access software from Citrix Systems.
More broadly, devices at the edges of networks have been targeted more heavily as more employees work remotely and more use the cloud, security experts said. Edge devices are often less well monitored and are more difficult to examine after a breach.
“We recognize the actor from a series of intrusions that have targeted air, maritime and land transportation targets, as well as other organizations,” said John Hultquist, chief analyst at Google’s Mandiant Intelligence. “There are a variety of reasons actors target critical infrastructure, but a persistent focus on these sectors may indicate preparation for disruptive or destructive cyberattack.”
Russia and the United States also penetrate networks in other nations and try to establish a persistent, undetected presence. In recent years, the Americans also have moved to disclose more about the intrusions on its shores to make adversaries work harder and use new techniques.
In this case, attributed to a Chinese group dubbed Volt Typhoon, detection is harder because the hackers use legitimate credentials and software commands to move around the networks, a technique known as “living off the land,” according to officials from the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency.
The intruders hide their initial access, as well, using small-office routers before reaching the Fortinet gear. Home and small-office routers have been popular with government-backed hackers in recent years, in part because they can make it look like the connection is coming from the immediate physical area instead of another country.
In addition, even after security flaws are revealed, the owners of the infected gear are less likely to install protective software updates to them than they are for web browsers, laptop operating systems or phones, all of which require more interaction.
“Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity,” CISA director Jen Easterly said in a joint news statement.
A CISA spokesman declined to answer questions about the significance of Guam as a target.