What we know about China’s hacking of Navy systems
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” Microsoft wrote in its statement.
Chinese state hackers are infecting TP-Link routers with custom, malicious firmware
The ATP actors are exploiting home / SOHO routers for covert attacks
By Alfonso Maruccia May 17, 2023, 13:02 9 comments
TechSpot is celebrating its 25th anniversary. TechSpot means tech analysis and advice you can trust.
What just happened? A Chinese-sponsored group is leading a new, sophisticated cyber-attack against sensible European targets, and hackers are effectively covering their tracks by abusing infected routers belonging to oblivious home users. The routers are mostly manufactured by TP-Link, but the threat could spread elsewhere.
Check Point researchers have uncovered yet another advanced persistent threat (APT), which is operated by a Chinese-sponsored group identified as “Camaro Dragon.” The attack, which mostly overlaps with malicious activities previously attributed to the “Mustang Panda” crew, is designed to cover its tracks behind TP-Link routers infected by a complex malware component.
The Camaro Dragon group targeted organizations and individuals related to European foreign affairs, Check Point explains, with “significant infrastructure overlap” with the Mustang Panda group. During their investigation, the researchers discovered a malicious firmware implant designed to work on routers manufactured by TP-Link, with several components including a custom backdoor named “Horse Shell.”
The backdoor has several main functions, including a remote shell for executing commands on the infected device, file transfer for uploading and downloading, and data exchange between two infected devices through the SOCKS5 protocol. SOCKS5 can be used as a proxy TCP connection to an arbitrary IP address, for UDP packet forwarding, and ultimately to create a chain of infected devices to mask the origin and the destination of an encrypted connection.
Thanks to this malicious firmware, Camaro Dragon hackers can effectively mask their real command & control center by treating infected home devices as a means to a goal. Check Point says that while Horse Shell was found on the attacking infrastructure, the true victims of the router implant are still unknown.
The researchers don’t even know how the attackers managed to infect the routers with the malicious firmware, though they likely scanned the entire internet for known vulnerabilities or weak / default login credentials. Furthermore, despite being designed to attack TP-Link routers, the components have an “agnostic” nature and could very well be repurposed for attacking a wider range of devices and manufacturers.
Check Point Research says the discovery of Camaro Dragon’s implant for TP-Link routers highlights the importance of taking protective measures against similar attacks. The security company has some recommendations for detecting and protecting against malicious firmware installations, including regularly installing software updates for home/SOHO routers, changing the default credentials of any device connected to the internet, and using stronger passwords and multi-factor authentication whenever possible.
What we know about China’s hacking of Navy systems
Hackers were “pursuing development of capabilities that could disrupt critical communications between the United States and Asia” in a crisis.
By Nicholas Slayton | Published May 28, 2023 5:23 PM EDT
Chinese-backed hackers breached American infrastructure, including technology systems belonging to the U.S. Navy, government officials confirmed this past week.
Technology company Microsoft first reported on the hack, identifying the group and the techniques used to pull it off. The operation aimed to gain access to communications systems in the United States and U.S. Navy infrastructure on Guam. The island is home to several military installations, including a large contingent of B-52 bombers and U.S. Navy submarines.
In response the United States and allies published a report on how to detect and protect against such intrusions.
Subscribe to Task & Purpose Today. Get the latest military news and culture in your inbox daily.
Who is behind it?
Microsoft Corp. first reported the apparent hack on Wednesday, May 24. It identified the perpetrators with “moderate confidence” as Volt Typhoon, a “state-sponsored actor based in China that typically focuses on espionage and information gathering.” The group has been active since at least 2021.
This specific hack saw Volt Typhoon using legitimate credentials to gain access to the systems, getting inside and then using small-office routers to disguise where the intrusion is coming from. Cybersecurity experts call this approach “living off the land.” They obtained initial access by targeting Fortinet cybersecurity devices, taking advantage of a flaw in the system to gain credentials.
The Chinese government has denied the allegations, calling them a “collective disinformation campaign” by the countries that make up the Five Eyes intelligence sharing organization, the United States, United Kingdom, Canada, Australia and New Zealand.
What was affected?
The full extent of the hack is not clear, but the infrastructure targeted “span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors,” Microsoft said.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” Microsoft wrote in its statement.
Secretary of the Navy Carlos Del Toro told CNBC on Thursday, May 25 that the Navy “has been impacted” by the hackers, but did not specify what areas were targeted or what it means for the Navy’s operational readiness. He did however say that it was “no surprise” that China initiated such a cyber attack.
Guam’s military assets and its location in the Pacific make it a major part of the U.S. military’s strategy in the region, including potential threats from China, both to the U.S. and to Taiwan.
This is not the first Chinese-backed cyberattack to affect the U.S. Navy. In 2018 hackers gained access to a Navy contractor’s computer, which had files on submarine warfare plans, including new missiles.
What’s being done?
Microsoft said that it had contacted all groups affected by the hack.
In response to the news, the cybersecurity agencies of the Five Eyes member nations issued a joint advisory on the hack and how to detect similar ones. The new report identifies several steps governments can take to prevent “living off the land” style intrusions.
“For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said in a statement. “Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity.”
The latest on Task & Purpose
- 7 Hollywood actors who made themost realistic GWOT operatorson screen
- How a Marine’s COVID-19 vaccine refusal led to113 days in the brig
- Russia lost a hypersonic missiletrying to destroy one of Ukraine’s Patriot missiles
- Air ForceF-15 takes an accidental bathin drainage canal after botched landing
- Fort Cavazos battalion commanderfired for misconduct