China’s Salt Typhoon Attacks Guam entity; US Sanctions Chinese Company
A Chinese state-sponsored group, Volt Typhoon, which made headlines early last year for compromising critical infrastructure in the United States reportedly is targeting similar environments in Guam, a critical site for the U.S. military in the Pacific.
Meanwhile, the U.S. Treasury Department is sanctioning a Chinese cybersecurity company for aiding another government-backed group, Flax Typhoon, which has targeted critical infrastructure not only in the United States but also in Europe, Asia, and Africa.
The sanctions are part of the U.S. government’s multi-pronged efforts to push back against myriad cyber-assaults by China, which the White House’s Office of the Director of National Intelligence (ODNI) in its annual threat assessment report last year called “the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”
“Beijing’s cyber espionage pursuits and its industry’s export of surveillance, information, and communications technologies increase the threats of aggressive cyber operations against the United States and the suppression of the free flow of information in cyberspace,” ODNI wrote.
A Typhoon of Threats
Early last year, federal agencies warned that Volt Typhoon was infiltrating U.S. critical infrastructure to essentially preposition itself to disrupt operations in such areas as water, power, and communications in the event of a conflict between the United States and China, likely over Taiwan, a top pressure point between the two countries. In its report, ODNI noted that one likely scenario included attacking infrastructure in Guam and disrupting communications between the United States and Asia.
Bloomberg reported that in 2022, U.S. investigators detected unusual activities in the Guam Power Authority’s (GPA) networks. According to the news site, about 20% of the power GPA supplies goes to the U.S. Navy, which has a prominent position on the island, a key U.S. military location given its proximity to China, Taiwan, and other critical Asian countries.
Researchers and security teams from various U.S. agencies, including the National Security Agency (NSA), FBI, and Coast Guard have ramped up monitoring systems on the island, such as telecom networks, energy grids, and ports, though further efforts to bulk up protections have been hampered by various private companies that manage Guam’s critical infrastructure, according to Bloomberg.
US Targets Integrity Tech
For its part, the Treasury Department Chinese cybersecurity firm Integrity Technology Group for its role with helping Flax Typhoon, a state-sponsored group that has been active since at least 2021 in targeting critical infrastructure in a range of industries in areas around the world, with a particular focus on Taiwan.
The group, like Volt Typhoon and similar Chinese hackers, exploits known vulnerabilities for initial access into victims’ computers and then uses legitimate remote access software to gain persistent control over their networks. In 2023, Microsoft wrote that Flax Typhoon was targeting dozens of organizations in Taiwan, adding that the group “intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
Flax Typhoon’s Botnet
More recently, the FBI last year said it disrupted a huge botnet created by Flax Typhoon that comprised hundreds of thousands of Internet of Things (IoT) devices and was in operation for four years and which targeted critical infrastructure operations as well as corporations, media organizations, universities, and government agencies in the United States and elsewhere.
In a report about the botnet, the FBI, NSA, and agencies the UK, Australia, and Canada wrote that Integrity Technology Group had controlled and managed the botnet’s activities since 2021. In announcing the sanctions, Treasury officials said that between the summer of 2022 and the fall of 2023, Flax Typhoon access hosts associated with entities in the United States and Europe using VPN software and remote desktop protocols for access. In addition, in the summer of 2023, the group compromised servers and workstations at a California-based organization.
Flax Typhoon used infrastructure linked to Integrity Tech for its operations, routinely sending and receiving information from the company’s infrastructure.
On the Defensive
“These actors continue to target U.S. government systems as part of their efforts, including the recent targeting of Treasury’s own IT infrastructure,” the department wrote, noting an attack last month in which unclassified documents were stolen. According to a letter the department sent to Congress, the hackers were able to access Treasury’s systems by compromising third-party software from BeyondTrust.
Such attacks are part of China’s larger efforts, which has included another group, Salt Typhoon, which infiltrated the networks of at least eight U.S. telecoms, including AT&T, Verizon, and T-Mobile, as well as others around the world, and stole metadata from U.S. citizens.
U.S. Senator Mark Warner, D-VA, called Salt Typhoon’s attacks the “worst telecom hack in our nation’s history” and said the compromises were ongoing.
