Microsoft Warns That China Hackers Attacked US Infrastructure

Microsoft has issued a warning that Chinese state-sponsored hackers, known as "Volt Typhoon," have compromised "critical" U.S. cyber infrastructure across various industries with a focus on gathering intelligence. CNBC reports: The Chinese hacking group, codenamed "Volt Typhoon," has operated since mid-2021, Microsoft said in an advisory. The organization is apparently working to disrupt "critical communications infrastructure between the United States and Asia," Microsoft said, to stymie efforts during "future crises." The National Security Agency put out a bulletin (PDF) on Wednesday, detailing how the hack works and how cybersecurity teams should respond.

The attack is apparently ongoing. In an advisory, Microsoft urged impacted customers to "close or change credentials for all compromised accounts." U.S. intelligence agencies became aware of the incursion in February, around the same time that a Chinese spy balloon was downed, the New York Times reported. The infiltration was focused on communications infrastructure in Guam and other parts of the U.S., the Times reported, and was particularly alarming to U.S. intelligence because Guam sits at the heart of an American military response in case of a Taiwanese invasion.

Volt Typhoon is able to infiltrate organizations using a unnamed vulnerability in a popular cybersecurity suite called FortiGuard, Microsoft said. Once the hacking group has gained access to a corporate system, it steals user credentials from the security suite and uses them to try to gain access to other corporate systems. The state-sponsored hackers aren't looking to create disruption yet, Microsoft said. Rather, "the threat actor intends to perform espionage and maintain access without being detected for as long as possible." Infrastructure in nearly every critical sector has been impacted, Microsoft said, including the communications, transport, and maritime industries. Government organizations were also targeted.

Re:Countries are stupid

[nightflameauto]

How long before we realize the concept of countries is anti-human?.. fuck everything and implement a global libertarian government .. don't you realize that we've got to get rid of all the communist, fascist, police states, corruption, and dictatorships then start all over again without all these problems.

It's a beautiful idyllic dream. How do you rid the world of all the corrupt governments? Bomb them into oblivion until there's only "our" corrupt government left, then pretend it's libertarian? It's not like they'd just roll over and go, "Oh, yeah, totes take my power, you well-intentioned humanitarians! We were too selfish to see how badly we treated our people. Thank you for saving us from ourselves." No. What would happen would be more along the lines of them giving you a stark "No." and then trying to sort out how many weapons they have available to point at you after.

How is life going to go multi-planetary if we can't even get along with each other?

Oh, don't worry. The corporatists will see to it that no humans leave the planet without selling their soul to the company first. Can't wait for Elon Musk's indentured servitude contracts under some new fancy name to make them sound nicer. It's gonna be daydreams and puppy dogs for humanity then, I tell ya!

Re:

[larryjoe]

How long before we realize the concept of countries is anti-human?.. fuck everything and implement a global libertarian government .. don't you realize that we've got to get rid of all the communist, fascist, police states, corruption, and dictatorships then start all over again without all these problems.

It's a beautiful idyllic dream. How do you rid the world of all the corrupt governments?

It's not even idyllic. It's not the concept of countries that's the problem. Take the ideological, racial, religious, etc. divisions in one country and then try to achieve some sort of consensus across all peoples of the world. The end result can only be either domination by whichever group can commander the government (doesn't even have to be a majority) or true extreme libertarianism (i.e., anarchy).

Everyone has a concept of world unity and peace, but all based on their own concept of what is idyllic.

Re:

[nightflameauto]

It's not even idyllic. It's not the concept of countries that's the problem. Take the ideological, racial, religious, etc. divisions in one country and then try to achieve some sort of consensus across all peoples of the world. The end result can only be either domination by whichever group can commander the government (doesn't even have to be a majority) or true extreme libertarianism (i.e., anarchy).

"Peace through tyranny." --Megatron

Everyone has a concept of world unity and peace, but all based on their own concept of what is idyllic. The only way to a true idyllic state is by having everyone give up on their stubborn vision on what constitutes an idyllic state. The actual view of what constitutes an idyllic state doesn't matter, just the personal willingness to give up ideological fortresses and be practical.

As much as some folks preach personal freedom and personal responsibility, it would take a lot of both to get there from where we are now, and a lot of either on its own requires an intelligent, tolerant populace. Something severely missing in the modern age. Everyone now seems to believe that the only way to peace is through absolute tyranny of their own version of "ideal." Which is utter bullshit to anyone with enough brain-power to realize that no two people have the sa

Re:

[hey!]

Many countries *are* anti-human. The norm for international behavior of countries is at best amoral. That doesn't mean that replacing many bad governments with a single government is *necessarily* going to be better.

Unquestioned faith in some Utopian scheme is a common fault of political radicals no matter where they fall on the political spectrum. Radicals often have interesting and valid insights into the shortcomings of the status quo; they're often quite worth listening to on that topic. They're much

Re:

[znrt]

countries or nations are just another variety of narratives that allow humans to work together in big numbers. would you prefer gods or religious fervor? anyhow, without these narratives you wouldn't have pyramids or huge cities, advanced medicine or flags stuck in the moon. it's not anti human, it's actually the very distinct characteristic of humans that allowed our species to thrive and dominate the world.

and there's the problem: domination. it's not narratives but the elites of human groups exploiting

Re:

[myowntrueself]

How long before we realize the concept of countries is anti-human?.. fuck everything and implement a global libertarian government .. don't you realize that we've got to get rid of all the communist, fascist, police states, corruption, and dictatorships then start all over again without all these problems.

How is life going to go multi-planetary if we can't even get along with each other?

I agree that national borders are anti-human. And the constant anti-China rhetoric out of the USA is just mind numbing.
Can just imagine a meme poster of that guy with the hair, always on about aliens
"I'm not saying it's China."

"But it's China"

Re:

[Frederic54]

You are absolutely right, in Star Trek world for instance, Earth has no more countries, and I guess it's the same for others planets in the United Federation of Planets. We should get rid of extremists left and right.

Re:

[Locke2005]

...in the end, everyone will glow in the dark.

Re:

[gosso920]

In the future, everybody will work for the CIA for fifteen minutes.

Re:

[gtall]

Two Words: Trade Winds.

Hmm

[Bahbus]

I can't imagine how popular this FortiGuard actually is as this is the first I'm hearing of them, and I've never seen their company show up for anti-virus test comparisons. Their name invokes thoughts of how a child might name something, and immediately gives me the impression that it's probably not the best product on the market. So, I highly doubt it's actually a popular product and moreso the lowest quoted security product, and the government is fucking lazy and stupid when it comes to software purchases

Re:

[Narcocide]

Right, so what you can almost certainly guarantee about FortiGuard based on all of that is that it's almost ubiquitously used across all the most sensitive branches of government and the decision was made behind closed doors with absolutely no accountability or public review process.

Re:

[Narcocide]

Oh, yea, and you can also count on it having cost literally billions of dollars but is functionally less capable than a 3-line shell script.

Re:

[DamnOregonian]

Oh, you're so clever. "I could do that in 3 lines of bash, hrr hrr"

Re:

[Narcocide]

Yes, I'm actually that guy; the guy they're all afraid will replace them with a shell script, because I actually can. Some fun fact about shell scripts: They work for free, they don't need sick days, and they don't have massive inferiority complexes.

Re:

[DamnOregonian]

Oh, for sure.
I just can't figure out why we haven't hired you to handle our PCI+DSS/SOC2 yet.
3 lines of bash- what can't you do with that kind of power?

Evaluate before purchase, evaluate often

[Canberra1]

Software generally reads all care, no responsibility. Execs just scan some magic square report and make the buying decisions on the basis of buzzwords. The simple answer is to ditch vendors who have lousy security and a bad record of high sev vulns. And if some bad actor targets this inherently unworthy software, the clowns stuck on it - have contributory negligence. About time any so called cyber insurance policies start naming duff products.

Re:

[DamnOregonian]

Fortigate is a customer of mine, actually. Have been for over a decade.

We'd be a customer of theirs, but we're an open source shop wherever possible.
Now, here's where it gets tricky.
When you're trying to get all your dumb fucking PCI-DSS/SOC2 shit, you really do need to have independent firewalls in front of every single domain.
These firewalls need to have more than just protective rules, they need IDS and IPS.
Organizations as such look for packaged solutions (FortiGates, WatchGuards, NetScreens, PIX,

From the

[poet]

No Sh!t! department?

Is Trump writing CNBC headlines?

[BishopBerkeley]

"China hackers"? Is the orange menace writing CNBC headlines? ChatGPT? Is CNBC struggling to hire literate writers? "Business news" sources do attract the dumbest people.

Neither MS nor CCP will ever disclose the lengths of US espionage. MS because of US laws, and CCP because it cannot reveal weakness.

There is no news here. Move along.

Re:

[xwin]

China also accuses US of cyberattacks https://www.npr.org/2021/07/20... [npr.org] . Both countries do the same thing against one another. US is attacking and spying on everyone including its allies. There is no "good guys" there, unless you consider anything that your country does good.
I do not read mandarin but I am sure in the Chinese press there are multiple accusations against the US.

Re:

[hunter44102]

But the USA is a democratic republic with freedom. We aren't a dictatorship with no checks and balances like China

Do they really mean Fortiguard?

[marquis111]

IMHO, the wording of this article is bound to cause misunderstanding. Fortiguard is a threat intelligence service and security research arm of Fortinet. Fortinet devices pull info FROM Fortiguard and use them in policies, but I'm not sure why they call Fortiguard a "popular cybersecurity suite". Everything I've read so far suggests that Volt Typhoon is targeting misconfigured internet-facing SOHO devices, including Fortigates, but maybe there is more info to come.

I think they know now

[Virtucon]

"the threat actor intends to perform espionage and maintain access without being detected for as long as possible."

That's speculation and since you've just announced it to everyone out there, I think they know they've been exposed.
what's missing here is how many times Fortinet has been hacked. Here's a recent story [arstechnica.com]

For me, if the vendor's products are getting hacked this frequently [duckduckgo.com] then their equipment/software and their annual license fees go in the dumpster.

Time for something better than ICSA?

[ctilsie242]

This makes me wonder something similar to UL is needed that would not just do black box testing, but as part of the agreement, take the source code of the version to be certified, run tools on that [1], then do a build and see how that compared to the artifact that the company wants to certify. For hardware, if it require secret sauce, then use a CPU simulator or FPGA boards, and the firmware run against that, or a similar SBC.

From there, do like Europe's "Sold Secure", with silver/gold/platinum, where the

Act of War

[Fuck_this_place]

Sounds like one to me. Though yeah, probably better just to sit back and let them do their thing. It's worked so well with The ruzzia after all.

It will continue until the west decides to change

[WindBourne]

If the west really wants to stop China, we could. Problem is, that only 1 nation is doing it, and that is Estonia.
They have implemented Digital Certificates for all of their citizens so that they KNOW who they are dealing with.
Why will the rest of the west not do it? Because it will make it harder to see what we write, talk, etc.
Stupid thing is that terrorist and most criminals ALREADY DO THIS.

Where's the smoking gun?

[sinkskinkshrieks]

Without asking for identity cards and motives through the pixels, where is the evidence?

Mandarin characters and particular IP addresses aren't proof of a grand conspiracy.

Could be anyone, including a non-state actor, or any state posing as Chinese to strain relations with the West even more.

It could also be people in China who have no official policy goals or appearing to hack from there for organized crime reasons.

Reading motive and origin from malware is a leap too far. Claim only what is known but claim