Vole said that the group codenamed "Volt Typhoon" has been around since mid-2021, quietly working to disrupt "critical communications infrastructure between the United States and Asia."
They have a set-piece method of attack which has been ongoing for some time, and the National Security Agency put out a bulletin detailing how the hack works and how cybersecurity teams should respond.
In an advisory, Microsoft urged impacted customers to "close or change credentials for compromised accounts."
US intelligence agencies became aware of the incursion in February. The infiltration was focused on communications infrastructure in Guam and other parts of the US. It was particularly alarming to US intelligence because Guam sits at the heart of an American military response in case of a Taiwanese invasion.
Microsoft said Volt Typhoon infiltrates organisations using an unnamed vulnerability in a popular cybersecurity suite called FortiGuard. Once the hacking group has gained access to a corporate system, it steals user credentials from the security suite and uses them to try to gain access to other corporate systems. The state-sponsored hackers aren't looking to create disruption yet, Microsoft said.
Instead, "the threat actor intends to perform espionage and maintain access without being detected for as long as possible." Microsoft said that infrastructure in nearly every critical sector has been impacted, including the communications, transport, and maritime industries. Government organisations were targeted.