What we know about China’s hacking of Navy systems

Hackers were "pursuing development of capabilities that could disrupt critical communications between the United States and Asia" in a crisis.

Share

Chinese-backed hackers breached American infrastructure, including technology systems belonging to the U.S. Navy, government officials confirmed this past week. 

Technology company Microsoft first reported on the hack, identifying the group and the techniques used to pull it off. The operation aimed to gain access to communications systems in the United States and U.S. Navy infrastructure on Guam. The island is home to several military installations, including a large contingent of B-52 bombers and U.S. Navy submarines. 

In response the United States and allies published a report on how to detect and protect against such intrusions. 

Subscribe to Task & Purpose Today. Get the latest military news and culture in your inbox daily.

Who is behind it?

Microsoft Corp. first reported the apparent hack on Wednesday, May 24. It identified the perpetrators with “moderate confidence” as Volt Typhoon, a “state-sponsored actor based in China that typically focuses on espionage and information gathering.” The group has been active since at least 2021.

This specific hack saw Volt Typhoon using legitimate credentials to gain access to the systems, getting inside and then using small-office routers to disguise where the intrusion is coming from. Cybersecurity experts call this approach “living off the land.” They obtained initial access by targeting Fortinet cybersecurity devices, taking advantage of a flaw in the system to gain credentials.

The Chinese government has denied the allegations, calling them a “collective disinformation campaign” by the countries that make up the Five Eyes intelligence sharing organization, the United States, United Kingdom, Canada, Australia and New Zealand.

What was affected?

The full extent of the hack is not clear, but the infrastructure targeted “span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors,” Microsoft said

“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” Microsoft wrote in its statement. 

Secretary of the Navy Carlos Del Toro told CNBC on Thursday, May 25 that the Navy “has been impacted” by the hackers, but did not specify what areas were targeted or what it means for the Navy’s operational readiness. He did however say that it was “no surprise” that China initiated such a cyber attack. 

Guam’s military assets and its location in the Pacific make it a major part of the U.S. military’s strategy in the region, including potential threats from China, both to the U.S. and to Taiwan. 

This is not the first Chinese-backed cyberattack to affect the U.S. Navy. In 2018 hackers gained access to a Navy contractor’s computer, which had files on submarine warfare plans, including new missiles.

What’s being done?

Microsoft said that it had contacted all groups affected by the hack. 

In response to the news, the cybersecurity agencies of the Five Eyes member nations issued a joint advisory on the hack and how to detect similar ones. The new report identifies several steps governments can take to prevent “living off the land” style intrusions. 

“For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said in a statement. “Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity.”

The latest on Task & Purpose