A secret war has been going on between Washington and Beijing for years under several titles and behind screens, including the “digital chip” war, espionage and cyberattacks, in which each side accuses the other.
The most recent of these incidents was the large-scale cyber attack announced by Washington, a number of its Western allies, and Microsoft Corporation yesterday, Wednesday, in which the finger was pointed at a group called “Vault Typhoon”, claiming that it is under the auspices of the Chinese state.
But what information is available about this group and what are its stated goals, especially since Washington and its allies have warned of similar attacks that may take place all over the world.
Targeted US infrastructure
According to information published by Microsoft, “Volt Typhoon” has been active since mid-2021 and has targeted a number of vital infrastructures, including especially the critical infrastructure on the American island of Guam, where the United States has a major military base in the Pacific Ocean.
The NSA discovered the breaches on Guam around the same time that a Chinese spy balloon was making headlines for entering US airspace, according to a New York Times report at the time.
Microsoft’s investigations revealed a vast network that attempted to infiltrate across multiple sectors, focusing particularly on targets for air transportation, communications, and sea and land transportation.
Expressive (iStock)
Stealth and espionage
To gain initial access to its target, the Vault Typhoon group compromises Internet-facing Fortinet FortiGuard devices, a common target for cyberattackers.
Once the device is compromised, it uses its privileges to extract credentials from the Active Directory account and authenticate to other devices on the network.
It also begins searching for information on the system, discovering additional devices on the network, and pulling data, according to an analysis published by darkreading.
To cover its tracks, it proxies its network traffic with routers and other peripherals from ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allowing it to blend in with normal network activity.
Support valid data
In most cases, the group gains access to compromised systems by logging in with valid credentials, as authorized users do.
However, in a small number of cases, Microsoft has observed that Vault Typhoon operators create proxies on compromised systems to facilitate access and accomplish this using the built-in netsh portproxy command.
(Shutterstock)
Tensions mount
Tensions have escalated between Washington and Beijing, which the National Security Agency considers its main military, economic and strategic rival, in the past months, after the “Chinese espionage” balloon incident, in addition to other files such as Taiwan and the South China Sea.
Beijing denies the accusations against it of launching cyber attacks or carrying out espionage operations targeting US entities, accusing in previous statements that Washington is behind the cyber attacks.
It is noteworthy that a similar accusation was made by the United States and its allies in March 2021, when Beijing was accused of being behind a large-scale piracy targeting the Microsoft Group’s “Exchange” messaging services, which Beijing denied categorically.
