In a joint advisory, the US government and its intelligence allies have revealed that the Chinese state-sponsored hacking group known as Volt Typhoon has been infiltrating critical infrastructure networks in the United States for a minimum of five years. The group's tactics and target selection suggest that they are not engaged in traditional cyber espionage but are pre-positioning themselves for potential disruptive or destructive cyber attacks.

The advisory, released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), has received support from other nations in the Five Eyes (FVEY) intelligence alliance, including Australia, Canada, New Zealand, and the United Kingdom. It cautions that Volt Typhoon, also known as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite, is a stealthy group believed to have been active since June 2021.

Volt Typhoon's ability to remain undetected for extended periods is primarily attributed to their use of "living off the land" techniques, enabling them to blend their malicious activities with legitimate system and network behavior. Additionally, the group relies on multi-hop proxies, such as the KV-botnet, to mask their true origins by routing malicious traffic through compromised routers and firewalls in the US.

The US authorities further highlighted Volt Typhoon's meticulous approach, emphasizing their extensive pre-exploitation reconnaissance to understand target organizations and environments. The group tailors their tactics, techniques, and procedures (TTPs) according to the victim's network, dedicates ongoing resources to maintaining persistence, and leverages valid accounts and strong operational security to achieve long-term undiscovered access.

One of their key strategies involves attempting to obtain administrator credentials within the network by exploiting privilege escalation vulnerabilities. Once acquired, the elevated access facilitates lateral movement, reconnaissance, and full compromise of the target domain. Volt Typhoon aims to retain access to compromised environments, repeatedly re-targeting them over several years.

Notably, the group avoids leaving malware artifacts that would trigger alerts and employs targeted log deletion to conceal their activities. This emphasis on stealth and operational security allows Volt Typhoon to maintain long-term persistence without detection.

The revelation comes as the Citizen Lab exposed a network of over 123 websites impersonating local news outlets across Europe, Asia, and Latin America. These websites, connected to a Beijing-based public relations firm named Shenzhen Haimaiyunxiang Media Co., Ltd., were found to be promoting pro-China content as part of a broader influence campaign.

The Chinese embassy in Washington dismissed allegations of disinformation, labeling them as a "typical bias and double standard." Despite this, the joint advisory from US authorities and their international counterparts serves as a stark warning about the potential threat posed by Volt Typhoon's ongoing presence in US critical infrastructure networks.

As the US government responds to this concerning development, efforts to bolster cybersecurity and protect critical infrastructure against sophisticated state-sponsored hacking groups will likely intensify in the coming months.