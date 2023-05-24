Chinese hackers are apparently laying the groundwork for cyberattacks to disrupt communications between the U.S. and Asia in the event of "future crises," Microsoft said Wednesday.

Volt Typhoon, a state-sponsored group based in China, has engaged in "stealthy and targeted malicious activity" that's "aimed at critical infrastructure organizations in the United States," according to a Microsoft Threat Intelligence blog post.

The targets reportedly include unidentified organizations in the fields of communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education.

"Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," the tech giant said.

Volt Typhoon has been active since mid-2021 and has been spying on — and gathering intelligence from — the operators of critical infrastructure in Guam and elsewhere in the U.S., Microsoft said.

The group's activities were uncovered by American intelligence agencies and Microsoft around the same time the FBI was examining equipment from the Chinese spy balloon that an Air Force fighter shot down off the coast of South Carolina on Feb. 4, the New York Times reported Wednesday.

The discovery was especially alarming because the ports and an American air base on Guam mean it would play a critical role if the U.S. were to mount a military response to a Chinese invasion or blockade of Taiwan, the Times said.

Microsoft said Volt Typhoon's hackers rely on a technique known as "living off the land," which uses specialized malware that only uses resources available in a computer's operating system.

The sophisticated, "fileless" attacks never touch a computer's disk drive and therefore don't trigger antivirus scanners.

They also leave no traces on the disk so forensic investigation can only uncover "limited evidence" of the intrusion.

In addition, the hackers try to cover their tracks by conducting their online activity through compromised network equipment -- including routers, firewalls and virtual private network, or VPN, hardware -- located in small businesses and home offices, Microsoft said.

Microsoft offered its customers instructions on how to detect and defend against Volt Typhoon intrusions, including "hunting queries" that can find distinctive commands left by the group's "post-compromise activity."

Government agencies in the US, Australia, Britain, Canada and New Zealand also released a 24-page Joint Cybersecurity Advisory on the threat posed by Volt Typhoon.