China Hack Is Latest Challenge for West’s Diplomatic Reset With Beijing

Cybersecurity agencies in the U.S., the U.K., Canada, Australia and New Zealand—an intelligence-sharing group of countries known as the Five Eyes—said a Chinese state-sponsored actor is employing a tactic known as “living off the land," which involves using built-in network administration tools to gain access to systems. The activity blends in with normal Windows system activities, allowing the actor to evade detection.

The campaign is impacting communications, manufacturing, transportation, maritime and other sectors in parts of the U.S. and Guam, the American territory that hosts major military installations in the Pacific, according to a blog post from Microsoft, publisher of the Windows operating system. The tech giant said the Chinese actor, known as Volt Typhoon, is pursuing capabilities that could disrupt communication infrastructure between the U.S. and Asia in a future crisis.

China has consistently denied carrying out cyberattacks and has accused the U.S. of being the biggest culprit of such efforts. Mao Ning, a spokeswoman for China’s foreign ministry, on Thursday said the U.S. is spreading false information.

“This is a patchwork report that seriously lacks a chain of evidence, which is extremely unprofessional," she said of the allegations. “It is obvious that this is a collective disinformation action taken by the United States to mobilize the Five Eyes alliance countries for geopolitical purposes."

By gaining access to a system through the “living off the land" approach—and maintaining that access while remaining undetected—hackers can glean intelligence about how the system operates. It could also give them the ability to disrupt the system later with no warning—though the intent could just be information gathering, some experts said.

The U.S. and its allies have named China as the culprit of malicious cyber actions in the past, though they don’t do it all the time, and some allies—like Australia—have been hesitant to name the countries responsible in other incidents. But naming China now, some cybersecurity experts said, signals that authorities believe the threat is serious, and that private-sector operators of critical infrastructure need to scan their systems to make sure they aren’t compromised.

“This is actually sophisticated, it is stealthy," Alastair MacGibbon, the former head of Australia’s cybersecurity agency and who is now chief strategy officer at cybersecurity firm CyberCX, said of the hacking tactic. “The key message is to critical infrastructure owners and operators across the Western world, to start looking for this type of activity."

The U.S. government and some Western tech companies say Chinese state-sponsored hackers have carried out attacks that have harvested extensive amounts of sensitive materials. Most recently, researchers from Alphabet’s Google found that state-sponsored hackers from China have developed new techniques to evade common cybersecurity tools, allowing them to burrow into government and business networks for a long time without detection.

The most recent allegations come at a fraught moment in China-U.S. relations. It adds to a host of issues that have strained ties between China and the U.S. including Taiwan, the war in Ukraine and the suspected Chinese spy balloon that the U.S. shot down in February.

During the Group of Seven meeting in Japan over the weekend, the U.S. and other democracies discussed plans to confront “malign practices"—including harmful digital operations such as espionage and threats to critical infrastructure—though some the language avoided naming China directly.

After the G-7 meeting, however, President Biden said he expected a thaw in relations with China and that he wanted improved lines of communication between Washington and Beijing. Australia, which counts China as its largest trading partner, is also seeking to improve ties with Beijing, after a rocky period in which China slapped various trade restrictions on many Australian goods.

Willy Lam, an adjunct professor of history at the Chinese University of Hong Kong, said Chinese cyberattacks could play a role in any effort to take control of Taiwan, the self-ruled island that Beijing claims as its own. He pointed out that Chinese leader Xi Jinping has made a priority of improving China’s own cybersecurity, noting changes that Beijing made to its counterespionage law last month to widen its application to digital activities.

“If Xi Jinping is really determined to do something towards Taiwan within his lifetime, cyberattacks on neighboring Japanese islands, on U.S. military installations on Guam and Japan itself, those would be ramped up," said Lam, adding that the recent cyber incident will exacerbate tensions.

In Australia, some lawmakers called for a stronger response to the latest Chinese cyber campaign. James Paterson, from the opposition center-right Liberal Party, said Australia’s government should use a new law to impose sanctions on the people responsible for the activity.

“This is a particularly malign behavior to target civilian infrastructure like this, and it’s not acceptable," he said. “There’s no doubt in my mind that if this is happening in U.S. critical infrastructure networks, then it’s happening on our networks too," he added.

Some analysts said the Five Eyes partners may be trying to avoid derailing the recent diplomatic push to improve ties with Beijing. Johanna Weaver, a former Australian diplomat who focused on cyber issues, pointed out that although China was called out in a technical bulletin, Australia’s political leaders didn’t make a big public display of blaming China—perhaps seeking to limit the foreign policy impact while also calling attention to the cybersecurity risk.

“They recognize they need to attach the name, China, to galvanize a technical response," said Weaver, now the director of the Tech Policy Design Centre at the Australian National University. “If they had to put this alert out without China, the urgency to address it would not necessarily have been the same."