The United States and its Western allies have accused a Chinese-sponsored “cyber-actor” of having infiltrated American “critical infrastructure”, allegations firmly denied by Beijing, which denounced a “disinformation campaign” on Thursday May 25. In a joint advisory, cybersecurity authorities in the United States, Canada, United Kingdom, Australia and New Zealand warned of a malicious “group of activities” associated with “a cyber- state-sponsored actor of the People’s Republic of China, also known as Volt Typhoon”.

“This activity affects the networks of critical infrastructure sectors of the United States” and the entity carrying out the attack “could apply the same techniques (…) around the world”, they added. Charges challenged this Thursday by Beijing. “This is a report that has serious flaws and is extremely unprofessional,” Mao Ning, a spokeswoman for the Chinese Ministry of Foreign Affairs, reacted during a regular press conference. “It is clear that this is a collective disinformation campaign by the countries of the Five Eyes coalition, launched by the United States for geopolitical purposes,” she continued.

The “Five Eyes” alliance is an intelligence collaboration network that includes Australia, the United States, Canada, the United Kingdom and New Zealand – countries that have mostly disputes with China, to varying degrees. In a separate press release, the American group Microsoft explained that Volt Typhoon has been active since mid-2021 and that it has targeted, among other things, critical infrastructure on the island of Guam, which hosts a major American military base in the ‘Pacific Ocean. This campaign risks “disrupting critical communications infrastructure between the United States and the Asian region in future crises,” Microsoft warned.

“As everyone knows, the Five Eyes Alliance is the world’s largest intelligence organization, and the (US) National Security Agency (NSA) is the world’s largest hacking organization,” Mao Ning said. “The fact that they are teaming up to publish such a misinformation report is in itself ironic.”

The NSA, often denounced by Beijing, was made famous by one of its former computer scientists, the American Edward Snowden, who revealed the existence of an American system for the global surveillance of communications and in particular the Internet. According to the Western security agencies concerned, the attacks notably use the so-called “Living off the land” (LotL) tactic, whereby the attacker uses the characteristics and tools of the system he is targeting to break into the inside without leaving traces.

“It’s what I would call low and slow cyber activity,” says Alastair McGibbon, chief strategy officer of Australian firm CyberCX and former director of Australia’s Cybersecurity Centre. “It’s like someone wearing a camouflage jacket and a sniper rifle. You can’t see it, it’s not there.” Once inside, intruders can steal information, says this expert. “But it also gives them the opportunity to carry out destructive actions at a later stage.”

In particular, the attacker can use legitimate administrative tools to penetrate the system and insert harmful scripts or code. This type of intrusion is much more effective than those using malware, which are more easily detectable. The Director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, also issued a warning against Volt Typhoon. “For years, China has conducted operations around the world to steal intellectual property and sensitive data from critical infrastructure organizations,” said Jen Easterly.

The Volt Typhoon case “shows that China is using very sophisticated means to target critical infrastructure in our country,” she added. China regularly claims to be the victim of numerous cyberattacks itself. In September, she notably accused the United States of having carried out “tens of thousands” against her interests, some of which, according to her, allowed sensitive data to be stolen, in particular from a Chinese research university.