WASHINGTON — An alleged campaign by Chinese state-sponsored hackers on targets in the U.S. and Guam has raised fears that Beijing is preparing to disrupt communications in the Pacific in the event of a conflict.
The hacking campaign was first identified by Microsoft Corp. on Wednesday and quickly confirmed by authorities in the U.S., U.K. and other allied nations. Microsoft said the hacking group, which it dubbed Volt Typhoon, breached government, communications, manufacturing and IT organizations in the U.S. and Guam, a crucial military post in the western Pacific Ocean.
While the identities of most of the hacking victims remains unknown, U.S. Navy Secretary Carlos Del Toro told CNBC on Thursday that the Navy was impacted by the intrusions. The extent of the breach wasn’t immediately known. A spokesperson for the U.S. Navy declined to “discuss the status of our networks.”
Andrew Dye, San Diego Union-Tribune via Tribune News Service
An alleged campaign by Chinese state-sponsored hackers on targets in the U.S. and Guam has raised fears Beijing is preparing to disrupt communications in the Pacific in the event of a conflict. While the identities of most of the hacking victims remains unknown, U.S. Navy Secretary Carlos Del Toro, pictured above, told CNBC on May 25 that the Navy was impacted by the intrusions.
Meanwhile, Rob Joyce, the director of cybersecurity at the National Security Agency, told CNN Thursday that Chinese hackers could still have access to sensitive U.S. networks that they’ve targeted. Joyce said the intrusions stood out in how brazen they were in “scope and scale.”
A NSA representative declined to comment and referred instead to a release by the NSA and other U.S. agencies on the Chinese hacking group.
Microsoft said it had “moderate confidence” the breaches were carried out in preparation to upend communications in the event of a future crisis. The company’s disclosure came amid mounting concerns that China might take military action to enforce its claim to the self-ruled island of Taiwan.
Jon Darby, NSA’s director of operations until his retirement after 39 years at the spy agency in August, said the operation matched a well-known way to infiltrate networks by accessing them at the edges rather than at what he called the bulls-eye and then staying undetected for years.
“The interesting thing is they got in from home routers all the way into the U.S. Navy infrastructure,” said Darby, who is not familiar with the details of this specific case.
“The scary thing is they could then launch disruptive or destructive attacks when things are hitting the fan,” he said. “If they’re in these networks they can wreak havoc. You’ve got to identify and plug up the vulnerabilities that allowed them to get into these networks and eradicate them.”
The NSA, along with intelligence agencies from the U.K., Australia, New Zealand and Canada also shared more details on the hackers. Those countries are all part of a key intelligence alliance, which includes the sharing of cybersecurity information, known as the Five Eyes.
China denied the hacking accusations.
“We noted this extremely unprofessional report — a patchwork with a broken chain of evidence,” China’s Foreign Ministry Spokesperson Mao Ning said. “Apparently, this has been a collective disinformation campaign launched by the U.S. through the Five Eyes to serve its geopolitical agenda. It’s widely known that the Five Eyes is the world’s biggest intelligence association, and the NSA the world’s biggest hacking group.”
The U.S. previously accused Chinese hackers for espionage and intellectual property theft, including a data breach of the Office of Personnel Management in 2015 and a hack of Equifax in 2017. In 2014, a Senate panel found that Chinese government-affiliated hackers accessed the data of military contractors including airlines and tech companies.
It’s not clear why Microsoft, the U.S. and its allies decided to shine a spotlight on the hacking group this week. One reason may be to give private companies a head start on defending from this group of Chinese hackers long before a potential conflict with China over Taiwan, said John Hultquist, chief analyst at Mandiant Intelligence, a subsidiary of Google.
“The burden of protecting critical infrastructure from serious disruptive cyberattacks lies with the private sector. They have to defend these networks,” Hultquist said. “That’s why it’s so important that this intelligence makes its way into their hands. If it doesn’t, it’s practically useless.”
Details about the alleged attacks offer rare insights into potential sabotage efforts by Chinese hackers, whose alleged theft of intellectual property and espionage capabilities are better known. By contrast, cybersecurity experts have documented Russian attacks on critical infrastructure, including hacks of the power grid in Ukraine are well documented.
“The organization has been around a long time,” said Dakota Cary, a consultant at Krebs Stamos Group, describing the hacking group. “When they walked over a line to get something of military operational value, that’s when it changed.”
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
Tero Vesalainen // Shutterstock
Critical components of U.S. infrastructure, including hospitals and power plants, are increasingly connected to the internet and are at risk of exploitation from cybercriminals lurking in the world's darkest corners.
And one specific kind of malware attack has leaders in the private and public sectors sounding the alarm over the last two years: ransomware.
Twingate collected data from the FBI's 2021 Internet Crime Report to show which infrastructure sectors were most often targeted by ransomware attacks. 2021 was the first year in which the FBI's Internet Crime Complaint Center began tracking ransomware incidents in sectors considered critical infrastructure.
The FBI's Internet Crime Complaint Center received 649 reports of ransomware incidents targeting critical infrastructure in 2021. In a memo in the latest report, FBI Deputy Director Paul Abbate described the increase in cyberattacks seen last year—not only in infrastructure sectors but overall—as "unprecedented."
The FBI defines critical infrastructure as assets or systems that "are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our security, national economy, public health or safety."
Dozens of attacks last year were leveled at government entities, leading the National Association of State Chief Information Officers to name ransomware its top cybersecurity concern in 2021.
But the frequency of ransomware incidents was even more pronounced in the health care, financial services, and information technology sectors, which saw the most recorded attacks of any other infrastructure sector last year, according to the FBI. The military and defense sector reported the fewest incidents, with just one ransomware attack in 2021.
And these culprits aren't always lone wolf operations seeking the biggest payout. Most ransomware attacks can be linked to state actors who would harbor more motives than financial gain in sponsoring ransomware attacks. Crypto-tracking company Chainalysis reported that most ransomware payments eventually went to Russian-linked hackers.
The FBI recommends updating operating systems and software, implementing training on phishing, securing remote access points, and making an offline backup of all data to protect against ransomware attacks. Large businesses may also want to contract with a cybersecurity consulting or insurance firm.
Most subject matter experts, the FBI included, recommend against paying ransoms because doing so does not guarantee the deletion of stolen data and could potentially encourage more of the same illegal behavior.
Tero Vesalainen // Shutterstock
Critical components of U.S. infrastructure, including hospitals and power plants, are increasingly connected to the internet and are at risk of exploitation from cybercriminals lurking in the world's darkest corners.
And one specific kind of malware attack has leaders in the private and public sectors sounding the alarm over the last two years: ransomware.
Twingate collected data from the FBI's 2021 Internet Crime Report to show which infrastructure sectors were most often targeted by ransomware attacks. 2021 was the first year in which the FBI's Internet Crime Complaint Center began tracking ransomware incidents in sectors considered critical infrastructure.
The FBI's Internet Crime Complaint Center received 649 reports of ransomware incidents targeting critical infrastructure in 2021. In a memo in the latest report, FBI Deputy Director Paul Abbate described the increase in cyberattacks seen last year—not only in infrastructure sectors but overall—as "unprecedented."
The FBI defines critical infrastructure as assets or systems that "are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our security, national economy, public health or safety."
Dozens of attacks last year were leveled at government entities, leading the National Association of State Chief Information Officers to name ransomware its top cybersecurity concern in 2021.
But the frequency of ransomware incidents was even more pronounced in the health care, financial services, and information technology sectors, which saw the most recorded attacks of any other infrastructure sector last year, according to the FBI. The military and defense sector reported the fewest incidents, with just one ransomware attack in 2021.
And these culprits aren't always lone wolf operations seeking the biggest payout. Most ransomware attacks can be linked to state actors who would harbor more motives than financial gain in sponsoring ransomware attacks. Crypto-tracking company Chainalysis reported that most ransomware payments eventually went to Russian-linked hackers.
The FBI recommends updating operating systems and software, implementing training on phishing, securing remote access points, and making an offline backup of all data to protect against ransomware attacks. Large businesses may also want to contract with a cybersecurity consulting or insurance firm.
Most subject matter experts, the FBI included, recommend against paying ransoms because doing so does not guarantee the deletion of stolen data and could potentially encourage more of the same illegal behavior.
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
Chim // Shutterstock
- Ransomware incidents: 17
In 2021, the Government Accountability Office published a report recommending the federal Cybersecurity and Infrastructure Security Agency visit with communications industry stakeholders to develop a plan for how it can best support their cybersecurity. The industry includes wireless calling and internet service providers as well as broadcasters. "Its incapacitation or destruction could have a debilitating impact on the safety and security of our nation," the GAO warned.
Just a month before the report's publication, TV conglomerate Sinclair Broadcast Group was targeted by a ransomware attack that disrupted news reporting and took stations around the country off the air for a time.
Chim // Shutterstock
- Ransomware incidents: 17
In 2021, the Government Accountability Office published a report recommending the federal Cybersecurity and Infrastructure Security Agency visit with communications industry stakeholders to develop a plan for how it can best support their cybersecurity. The industry includes wireless calling and internet service providers as well as broadcasters. "Its incapacitation or destruction could have a debilitating impact on the safety and security of our nation," the GAO warned.
Just a month before the report's publication, TV conglomerate Sinclair Broadcast Group was targeted by a ransomware attack that disrupted news reporting and took stations around the country off the air for a time.
-
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
JMiks // Shutterstock
- Ransomware incidents: 31
The Colonial Pipeline suffered a security breach in 2021, garnering a full-throated response from the highest levels of the U.S. government. The attackers were a criminal organization believed to be linked to the Russian government. The pipeline, which carries gas and jet fuel from Texas to much of the eastern U.S., was completely shut down within an hour of receiving the ransom note.
The unprecedented pause in operations caused fuel shortages, panic, and a run on gas stations across Atlantic states, illustrating the potentially severe consequences of an even larger attack on U.S. energy infrastructures like oil pipelines and refineries. The company reportedly paid out $5 million to the attackers, allowing fuel to flow again but not without generating some controversy for encouraging the hackers. The U.S. Department of Justice later recovered a portion of the ransom payment from the perpetrators.
JMiks // Shutterstock
- Ransomware incidents: 31
The Colonial Pipeline suffered a security breach in 2021, garnering a full-throated response from the highest levels of the U.S. government. The attackers were a criminal organization believed to be linked to the Russian government. The pipeline, which carries gas and jet fuel from Texas to much of the eastern U.S., was completely shut down within an hour of receiving the ransom note.
The unprecedented pause in operations caused fuel shortages, panic, and a run on gas stations across Atlantic states, illustrating the potentially severe consequences of an even larger attack on U.S. energy infrastructures like oil pipelines and refineries. The company reportedly paid out $5 million to the attackers, allowing fuel to flow again but not without generating some controversy for encouraging the hackers. The U.S. Department of Justice later recovered a portion of the ransom payment from the perpetrators.
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
Syda Productions // Shutterstock
- Ransomware incidents: 38
Only 3 in 5 public transit agencies had a plan to deal with a cyberattack, according to a 2020 study published by the Mineta Transportation Institute at San José State University.
An August 2020 ransomware attack on Philadelphia's Southeastern Pennsylvania Transportation Authority created operational troubles for the transportation provider months after the security breach. Shortly after, the New York Metropolitan Transportation Authority, the largest public transit agency in the country, made public that it, too, had experienced a cyberattack.
Private companies can also be targeted. Forward Air, a $1.6 billion-a-year Tennessee-based logistics company, disclosed in 2021 that a ransomware breach cost the company $7.5 million.
Syda Productions // Shutterstock
- Ransomware incidents: 38
Only 3 in 5 public transit agencies had a plan to deal with a cyberattack, according to a 2020 study published by the Mineta Transportation Institute at San José State University.
An August 2020 ransomware attack on Philadelphia's Southeastern Pennsylvania Transportation Authority created operational troubles for the transportation provider months after the security breach. Shortly after, the New York Metropolitan Transportation Authority, the largest public transit agency in the country, made public that it, too, had experienced a cyberattack.
Private companies can also be targeted. Forward Air, a $1.6 billion-a-year Tennessee-based logistics company, disclosed in 2021 that a ransomware breach cost the company $7.5 million.
-
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
Andrey_Popov // Shutterstock
- Ransomware incidents: 52
Cybercriminals struck two major U.S. farming organizations in late 2021, leading the FBI to issue an industrywide warning about ransomware attacks—especially those coinciding around critical seasons for the industry.
The 60-member farming cooperative in Iowa called New Cooperative, which manages a portion of the country's corn production, was struck. The other victim was a co-op called Crystal Valley, based in Minnesota, which serves 2,500 farmers, according to a local news report. Neither attack had a considerable impact on U.S. food supplies but served as a cautionary tale for other small-time agricultural organizations that may be vulnerable.
In 2021, this sector was most frequently a victim of attacks utilizing the Conti ransomware variant, the most common variant the IC3 tracks. The method uses Microsoft Word documents to gain remote access to the victim's system, allowing the attacker to deploy ransomware. Attackers that lean on this method to breach networks have reportedly demanded as much as $25 million in ransom, according to the FBI.
Andrey_Popov // Shutterstock
- Ransomware incidents: 52
Cybercriminals struck two major U.S. farming organizations in late 2021, leading the FBI to issue an industrywide warning about ransomware attacks—especially those coinciding around critical seasons for the industry.
The 60-member farming cooperative in Iowa called New Cooperative, which manages a portion of the country's corn production, was struck. The other victim was a co-op called Crystal Valley, based in Minnesota, which serves 2,500 farmers, according to a local news report. Neither attack had a considerable impact on U.S. food supplies but served as a cautionary tale for other small-time agricultural organizations that may be vulnerable.
In 2021, this sector was most frequently a victim of attacks utilizing the Conti ransomware variant, the most common variant the IC3 tracks. The method uses Microsoft Word documents to gain remote access to the victim's system, allowing the attacker to deploy ransomware. Attackers that lean on this method to breach networks have reportedly demanded as much as $25 million in ransom, according to the FBI.
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
Ground Picture // Shutterstock
- Ransomware incidents: 56
Commercial facilities include theme parks, stadiums, office buildings, conference centers, and hotels. In general, commercial facilities entail places that draw large crowds for entertainment, shopping, or business purposes.
In 2021, Oregon-based venue operator McMenamins was the victim of a ransomware attack that compromised more than two decades' worth of employee data including sensitive details like Social Security numbers. In another scenario outside of the U.S., a Scandinavian hotel chain suffered a ransomware hack that locked guests out of their rooms and hindered the hotel from managing reservations, including checking guests in and out of their rooms as well as creating new room keys.
Ground Picture // Shutterstock
- Ransomware incidents: 56
Commercial facilities include theme parks, stadiums, office buildings, conference centers, and hotels. In general, commercial facilities entail places that draw large crowds for entertainment, shopping, or business purposes.
In 2021, Oregon-based venue operator McMenamins was the victim of a ransomware attack that compromised more than two decades' worth of employee data including sensitive details like Social Security numbers. In another scenario outside of the U.S., a Scandinavian hotel chain suffered a ransomware hack that locked guests out of their rooms and hindered the hotel from managing reservations, including checking guests in and out of their rooms as well as creating new room keys.
-
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
Gorodenkoff // Shutterstock
- Ransomware incidents: 60
Reports of ransomware attacks leveled at government organizations, including first responders and schools, have been increasing since at least 2019. These incidents now represent a sizable share of those reported to the IC3.
The D.C. Police Department suffered a ransomware attack in 2021 in which the hackers published alleged internal documents and threatened to make more public if it didn't pay a ransom. A ransomware attack on a private human resources software provider also affected the government of Prince George's County last year, forcing the county to track pay for government employees manually. As more government agencies lean on private sector software, they will continue to rely on those vendors to maintain secure networks that keep them safe.
Laws exist in every state requiring businesses to report security breaches to consumers. Many state governments have laws similar to this for affected government agencies. The states without such laws include Mississippi, Oregon, Utah, South Dakota, New Mexico, and Wyoming, according to the National Conference of State Legislatures.
In 2022, the Los Angeles Unified School District has already dealt with a ransomware attack, and federal officials, including the FBI, have warned that attacks on schools may increase.
Gorodenkoff // Shutterstock
- Ransomware incidents: 60
Reports of ransomware attacks leveled at government organizations, including first responders and schools, have been increasing since at least 2019. These incidents now represent a sizable share of those reported to the IC3.
The D.C. Police Department suffered a ransomware attack in 2021 in which the hackers published alleged internal documents and threatened to make more public if it didn't pay a ransom. A ransomware attack on a private human resources software provider also affected the government of Prince George's County last year, forcing the county to track pay for government employees manually. As more government agencies lean on private sector software, they will continue to rely on those vendors to maintain secure networks that keep them safe.
Laws exist in every state requiring businesses to report security breaches to consumers. Many state governments have laws similar to this for affected government agencies. The states without such laws include Mississippi, Oregon, Utah, South Dakota, New Mexico, and Wyoming, according to the National Conference of State Legislatures.
In 2022, the Los Angeles Unified School District has already dealt with a ransomware attack, and federal officials, including the FBI, have warned that attacks on schools may increase.
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
wutzkohphoto // Shutterstock
- Ransomware incidents: 65
As supply chains worldwide adjust to the shifting COVID-19 pandemic environment and consumer demand, manufacturers have become an obvious target for criminals looking to leverage a ransom payment.
Honeywell, a Fortune 100 aerospace and tech manufacturer, based out of North Carolina, revealed it suffered a malware attack in March 2021 that disrupted some of its computer systems. The company gave very little public detail about the intrusion, using the term malware generally and not specifying whether the attack method included holding data or access to computer systems ransom.
Industry publication CyberScoop has noted that a stigma lingers in the manufacturing sectors of Europe and the U.S., dissuading companies from speaking when they are attacked. This means the industry and experts have less-than-ideal insight into whether criminals are successfully—and quietly—extracting millions in revenues from critical manufacturing firms.
wutzkohphoto // Shutterstock
- Ransomware incidents: 65
As supply chains worldwide adjust to the shifting COVID-19 pandemic environment and consumer demand, manufacturers have become an obvious target for criminals looking to leverage a ransom payment.
Honeywell, a Fortune 100 aerospace and tech manufacturer, based out of North Carolina, revealed it suffered a malware attack in March 2021 that disrupted some of its computer systems. The company gave very little public detail about the intrusion, using the term malware generally and not specifying whether the attack method included holding data or access to computer systems ransom.
Industry publication CyberScoop has noted that a stigma lingers in the manufacturing sectors of Europe and the U.S., dissuading companies from speaking when they are attacked. This means the industry and experts have less-than-ideal insight into whether criminals are successfully—and quietly—extracting millions in revenues from critical manufacturing firms.
-
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
Rawpixel.com // Shutterstock
- Ransomware incidents: 74
Companies and contractors operating in the information technology sector can often be a vector to other industries for which they provide services.
A ransomware attack against Synnex in 2021 drew concern not only for infrastructure security and clients' business interest but for American democracy; this was due to the company's relationship with the Republican National Committee and the attacker's alleged connection with Russia.
Rawpixel.com // Shutterstock
- Ransomware incidents: 74
Companies and contractors operating in the information technology sector can often be a vector to other industries for which they provide services.
A ransomware attack against Synnex in 2021 drew concern not only for infrastructure security and clients' business interest but for American democracy; this was due to the company's relationship with the Republican National Committee and the attacker's alleged connection with Russia.
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
BEST-BACKGROUNDS // Shutterstock
- Ransomware incidents: 89
Financial services providers such as banks, insurance firms, and other organizations that generate income from providing loans and credit were the second-most affected sector of critical U.S. infrastructure in 2021. Central banks are known for having some of the most substantial security measures of any other private entity. Financial tech startups, however, have boomed in recent years thanks to a flood of venture capital, fueling innovative ways for consumers to take out loans or handle digital banking.
The U.S. Treasury Department found that the sums of money paid to ransomware schemes by financial services firms based in the U.S. began skyrocketing in the first half of 2021. Through its Financial Crimes Enforcement Network, the department identified around $600 million in payments made to criminals, more than the amount paid for all of 2020.
BEST-BACKGROUNDS // Shutterstock
- Ransomware incidents: 89
Financial services providers such as banks, insurance firms, and other organizations that generate income from providing loans and credit were the second-most affected sector of critical U.S. infrastructure in 2021. Central banks are known for having some of the most substantial security measures of any other private entity. Financial tech startups, however, have boomed in recent years thanks to a flood of venture capital, fueling innovative ways for consumers to take out loans or handle digital banking.
The U.S. Treasury Department found that the sums of money paid to ransomware schemes by financial services firms based in the U.S. began skyrocketing in the first half of 2021. Through its Financial Crimes Enforcement Network, the department identified around $600 million in payments made to criminals, more than the amount paid for all of 2020.
-
-
US Navy hit by Chinese hacking campaign, raising fears of wider plan, report says
SFIO CRACHO // Shutterstock
- Ransomware incidents: 148
Health care and public health institutions were the most-targeted organizations for ransomware attacks in 2021. They've become a common target due to the troves of sensitive patient data health care providers collect.
In the best-case scenario, these attacks can expose email addresses and personal information like phone numbers. In the worst, Social Security numbers and other sensitive data can be leaked onto the dark web. In 2021, the first death linked to a ransomware attack was recorded at a Mobile, Alabama, medical center. The facility was forced to shut down, preventing staff from using potentially lifesaving medical equipment on a baby, alleged a lawsuit from the mother.
The Department of Justice this year made an example of three Iranian nationals, charging them with conducting ransomware attacks against critical infrastructure, including health care centers, since 2020.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.
SFIO CRACHO // Shutterstock
- Ransomware incidents: 148
Health care and public health institutions were the most-targeted organizations for ransomware attacks in 2021. They've become a common target due to the troves of sensitive patient data health care providers collect.
In the best-case scenario, these attacks can expose email addresses and personal information like phone numbers. In the worst, Social Security numbers and other sensitive data can be leaked onto the dark web. In 2021, the first death linked to a ransomware attack was recorded at a Mobile, Alabama, medical center. The facility was forced to shut down, preventing staff from using potentially lifesaving medical equipment on a baby, alleged a lawsuit from the mother.
The Department of Justice this year made an example of three Iranian nationals, charging them with conducting ransomware attacks against critical infrastructure, including health care centers, since 2020.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.
