Chinese state-sponsored hackers, known as the “Volt Typhoon” group, have been targeting US critical infrastructure organizations as part of an ongoing intrusion and espionage campaign, according to a report by Microsoft. In a blog post, Microsoft Threat Intelligence stated that the group had been active since 2021 and employs living-off-the-land techniques, which makes detecting and mitigating the attacks challenging. Microsoft warned that the group executes the campaign by using office/home office network edge devices to set up proxies and establish a command and control channel through which they evade detection while committing their campaigns. The edge devices, which have HTTP or SSH management interfaces exposed to the internet, are manufactured by companies such as Asus, Cisco, D-Link, Netgear, and Zyxel. Microsoft stated that affected organizations include communications, manufacturing, utility, transportation, maritime, government, IT, and education sectors in the US and Guam.
When discussing the motivation behind the attacks, Microsoft wrote, “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing the development of capabilities that could disrupt critical communication infrastructure between the United States and Asia region during future crises.” Throughout the blog, Microsoft emphasized that the primary goals of the group are to “perform espionage and maintain access without being detected for as long as possible.” Microsoft discovered that the initial access point of the attacks was through a vulnerable Fortinet FortiGuard device but is still investigating how the attackers gained access. Once access is gained, the attackers steal credentials for an Active Directory account, which they then use to attempt to authenticate other devices on the target network.
Microsoft directly notified affected customers of the Volt Typhoon attacks. It called for measures like strong multifactor authentication and hardening the Local Authority Security Subsystem Service, which Volt Typhoon uses to dump credentials, as part of remediation for affected organizations. In addition to Microsoft’s warning, the US National Security Agency (NSA) issued a joint cybersecurity advisory on Volt Typhoon along with the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the government agencies from the Five Eyes Alliance. The advisory warned of the specific vulnerabilities that Volt Typhoon leverages and also provided recommended best practices and threat-hunting techniques.
The NSA and the government advisory emphasized Volt Typhoon’s use of living-off-the-land techniques, which allow the threat actors to blend in with the normal network activity to evade detection. The advisory called for enterprises to log and monitor command-line execution and Windows Management Infrastructure events, while administrators should limit proxy usage within environments to address the threat of stolen credentials. Mandiant Intelligence, part of Google Cloud, observed similar Volt Typhoon activity targeting air, maritime, and land transportation, as well as other organizations. John Hultquist, chief analyst at Mandiant Intelligence, stated that China may be preparing for a disruptive or destructive cyber attack. However, Hultquist said it does not necessarily mean that full attacks are looming, but it is essential to investigate and prepare for this threat.