New Zealand, Five Eyes issue alert warning of China state actor engaging in 'malicious cyber activity'

The cybersecurity advisory has been issued by a multiple agencies.
The cybersecurity advisory has been issued by a multiple agencies. Photo credit: Getty Images

Five Eyes intelligence agencies have issued an alert warning a group sponsored by the Chinese state has been targeting US critical infrastructure and could direct their efforts to others worldwide.

The Chinese group is called Volt Typhoon and has been targeting a range of infrastructure ranging from communications, to construction, to utilities, according to Microsoft, which uncovered the activity.

The cybersecurity advisory has been issued by multiple bureaus including the US National Security Agency, New Zealand's National Cyber Security Centre as well as Australian, Canadian and UK cyber security agencies.

"The National Cyber Security Centre (NCSC) has joined international partners in publishing a technical advisory to highlight malicious cyber activity associated with a People's Republic of China (PRC) state-sponsored cyber actor," a statement from the agency said.

"The activity has been observed affecting networks across United States critical infrastructure sectors and the techniques described could be used to impact other sectors."

NCSC said the advisory is being published to provide New Zealand critical infrastructure operators and cyber defenders with information that will enable them to detect this activity.

"The NCSC will also be using its own cyber defence resources, including its Malware Free Networks capability, to support New Zealand organisations' efforts to detect and disrupt this activity.

"If organisations identify malicious activity as a result of reviewing the information in this advisory, they should contact the National Cyber Security Centre."

The advisory warns a "cluster of activity of interest" has been identified associated with the Chinese state-sponsored cyber actor known as Volt Typhoon.

"Private sector partners have identified that this activity affects networks across US critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide."

It follows a warning on Thursday from Microsoft that Volt Typhoon was working to disrupt "critical communications infrastructure between the United States and Asia during future crises".

"Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organisations in the United States."

Volt Typhoon is said to have been active since mid-2021 and previously targeted infrastructure in Guam and elsewhere in the United States.

"In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible."

The group uses "living off the land techniques and hands-on keyboard activity", Microsoft said.

"They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.

"In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar."