Five Eyes highlight cyber gang
Federal authorities have revealed a cyber gang backed by the Chinese government.
A joint effort by the intelligence agencies of the Five Eyes alliance, including Australia, has successfully exposed an online criminal syndicate with links to the Chinese government.
The group has been held accountable for a series of attacks on critical infrastructure in the United States.
In an unprecedented move, the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) issued a public advisory, revealing that the gang exploited built-in Windows tools on compromised hosts.
Microsoft, in a separate statement, identified the group as Volt Typhoon, describing them as a “state-sponsored actor based in China that typically focuses on espionage and information gathering”.
The group has not been detected operating within Australia, but Australian businesses and infrastructure providers have been cautioned about the elevated risk.
The ACSC highlighted the gang's utilisation of a technique known as “living off the land”, which enables them to go undetected by blending in with normal Windows systems and networks, avoiding triggering security alerts through the installation of new tools.
The ACSC statement further warned that the tactics employed by the group could pose a significant threat to critical infrastructure and various sectors worldwide.
To safeguard their systems, the ACSC advises Australian companies to review and optimise their logging configurations.
The release of the ACSC's advisory coincided with a series of coordinated statements by fellow Five Eyes members, namely the United States, the United Kingdom, Canada, and New Zealand.
Attributing cyberattacks to China publicly is a rare occurrence, despite the nation frequently being suspected of such activities.
When questioned about the potential impact of Australia's public condemnation of China on the recent improvement in relations, Clare O'Neil, the Minister for Home Affairs and Cyber Security, said; “The Australian government is never going to compromise on our national security and this activity should not be occurring. We have the evidence before us”.
Shadow Home Affairs Minister James Paterson expressed his conviction that if US infrastructure is under attack, it is highly likely that Australia is facing similar threats.
In Canberra, he voiced his concerns, saying; “It's been disclosed this morning that Chinese actors have been acting to infiltrate US networks of critical infrastructure providers and lying dormant on those networks for a purpose that is unstated. This is a particularly malign behaviour to target civilian infrastructure like this, and it's not acceptable.”
Microsoft disclosed that Volt Typhoon has been active since mid-2021 and, in their recent campaign, specifically targeted sectors such as manufacturing, utilities, transport, construction, maritime, government, education, and information technology.
The company highlighted the threat actor's focus on stealth, employing living-off-the-land techniques and hands-on-keyboard activity to maintain undetected access for extended periods.
Volt Typhoon also utilised compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware, to blend into normal network activity.
Additionally, they were observed using modified versions of open-source tools to establish a command and control (C2) channel over proxies, further evading detection.