While China and the United States routinely spy on each other, analysts say this is one of the largest known Chinese cyber-espionage campaigns against American critical infrastructure.
Chinese foreign ministry spokesperson Mao Ning said on Thursday the hacking allegations were a "collective disinformation campaign" from the Five Eyes countries, a reference to the intelligence sharing grouping of countries made up of the United States, Canada, New Zealand, Australia and the UK.
Mao said the campaign was launched by the U.S. for geopolitical reasons and that the report from Microsoft analysts showed that the U.S. government was expanding its channels of disinformation beyond government agencies.
"But no matter what varied methods are used, none of this can change the fact that the United States is the empire of hacking," she told a regular press briefing in Beijing.
It was not immediately clear how many organizations were affected, but the U.S. National Security Agency (NSA) said it was working with partners including Canada, New Zealand, Australia, and the UK, as well as the U.S. Federal Bureau of Investigation to identify breaches. Canada, UK, Australia and New Zealand warned they could be targeted by the hackers too.
Microsoft analysts said they had "moderate confidence" this Chinese group, which it dubbed as 'Volt Typhoon', was developing capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
Microsoft said the Chinese hacking group has been active since at least 2021 and has targeted several industries including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
NSA cybersecurity director Rob Joyce said the Chinese campaign was using "built-in network tools to evade our defenses and leaving no trace behind." Such techniques are harder to detect as they use "capabilities already built into critical infrastructure environments," he added.
"It means they are preparing for that possibility," said John Hultquist, who heads threat analysis at Google's Mandiant Intelligence.
The Chinese activity is unique and worrying also because analysts don't yet have enough visibility on what this group might be capable of, he added.
"There is greater interest in this actor because of the geopolitical situation."
Security analysts expect Chinese hackers could target U.S. military networks and other critical infrastructure if China invades Taiwan.
The NSA and other Western cyber agencies urged companies that operate critical infrastructure to identify malicious activity using the technical guidance they issued.
"It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems," Paul Chichester, director at the U.K.'s National Cyber Security Centre said in a joint statement with the NSA.