A water utility and other government and private assets in Hawaii have been targeted this year by hackers working for China’s People’s Liberation Army who are looking for ways to undermine U.S. military capabilities in the Asia-Pacific.

A report in The Washington Post on Monday detailed the Chinese military’s efforts to increase its capacity for crippling U.S. power and water utilities, communication networks and transportation systems.

China is preparing in the event a U.S.-China war breaks out in the Pacific, U.S. officials and technology company officials told the Post.

An unnamed water utility, an unnamed “major West Coast port and at least one oil and gas pipeline” were targeted, as was the Texas power system that is off the national grid.

U.S. officials told the Post the “attention to Hawaii, which is home to the Pacific Fleet, and to at least one port as well as logistics centers suggests the Chinese military wants the ability to complicate U.S. efforts to ship troops and equipment to the region if a conflict breaks out over Taiwan.”

The Hawaii assets were targeted by the “People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon.”

The public water utilities on Oahu, Maui and Hawaii island told the Honolulu Star-Advertiser they were not hacked by China this year. The Kauai water utility did not reply to Star- Advertiser requests for comment.

Morgan Adamski, director of the National Security Agency’s Cybersecurity Collaboration Center, confirmed to the Post earlier this month that Volt Typhoon activity “appears to be focused on targets within the Indo-Pacific region, to include Hawaii.”

Officials with U.S. Indo- Pacific Command did not answer questions from the Star-Advertiser about whether water or other military facilities were targeted or if they are experiencing a surge in cyberattacks from hackers working for China.

A spokesperson for INDOPACOM referred the Star-Advertiser to a May 24 advisory from the U.S. and four allied nations about the China hackers targeting U.S. critical infrastructure.

The U.S. Department of Justice told the Star- Advertiser it understands the incidents detailed in the Post’s report and are constantly working to deter cyberattacks from state and nonstate affiliated hackers.

“The FBI is aware of this incident and when the FBI learns about intrusions, it’s customary that we notify victims and offer our assistance in determining its source and if there is a continuing threat,” Steven Merrill, special agent in charge of the FBI’s Honolulu Division, told the Star- Advertiser. “Similarly, if victims believe they have experienced an intrusion, we encourage them to notify us so we can investigate, if and as appropriate. Except in rare cases, FBI policy prohibits us from confirming or denying any investigation, but the public should be assured that the FBI takes seriously cyber intrusions that could compromise national security.”

The May 23 advisory referred to by INDOPACOM is titled “NSA and Partners Identify China State- Sponsored Cyber Actor Using Built-in Network Tools When Targeting U.S. Critical Infrastructure Sectors.”

“One of the actor’s primary tactics, techniques, and procedures is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” read the start of the advisory, issued by the U.S., the United Kingdom, New Zealand, Australia and Canada.

Some of the built-in tools used are wmic, ntdsutil, netsh and PowerShell.

The joint advisory was issued by the U.S. National Security Agency, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, the Australian Signals Directorate’s Australian Cyber Security Centre, the Communications Security Establishment’s Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre and the United Kingdom National Cyber Security Centre.

A release from Microsoft on the same day as the NSA advisory described how the company “uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery” aimed at critical U.S. infrastructure.

“The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” read the alert from Microsoft.

Volt Typhoon has been active since mid-2021, targeting U.S. infrastructure on Guam and elsewhere, according to the company.

Since unleashed by China, Volt Typhoon has targeted companies and entities in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.

“Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft warned.

U.S. Attorney Clare E. Connors told the Star- Advertiser that the U.S. Department of Justice is fully committed to investigating, disrupting and deterring cyberthreats, including those from state-sponsored actors.

“Cyberattacks are often crimes of opportunity, and malicious cyber actors regularly attempt to access computer systems used by public utilities, private businesses and government entities,” Connors said. “I urge victims of cyber incidents to promptly contact the FBI for support and assistance. Early communication is critical to neutralize threats, mitigate damage and bring those responsible to justice.”

———

The Washington Post contributed to this report.

CSA PRC State Sponsored Cyb… by Honolulu Star-Advertiser