Recent reports suggest that Chinese cybercriminals have deployed malware in critical infrastructure systems in Guam and other parts of the United States. According to tech giant Microsoft and some American intelligence agencies, the malicious activity has been linked to state-sponsored threat actor Volt Typhoon in China. The campaign has been active since mid-2021 and has targeted organizations in different sectors, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
The campaign’s focus is on post-compromise credential access and network security discovery. The attackers have been identified as using a “Web Shell,” which is a malicious script enabling remote access to a server. The malware has been found in home routers and other common internet-connected computer devices to make intrusion harder to track. Volt Typhoon issues commands via the command line of an infected system to collect data, including credentials from local and network systems, archiving them to stage exfiltration and use retrieved credentials to maintain persistence.
The attackers gain initial access to targeted organizations by exploiting internet-facing Fortinet FortiGuard devices. Microsoft is currently in the process of examining how Volt Typhoon manages to gain access to these devices. The threat actor attempts to leverage any privileges afforded by the Fortinet device and extracts credentials to an Active Directory account used by the device. It subsequently attempts to authenticate with those credentials to other devices on the network.
The attack directs all of its network traffic towards its targets by utilizing compromised small office/home office network edge devices such as routers. Microsoft has verified that numerous devices, including those produced by Asus, Cisco, D-Link, Netgear, and Zyxel, have the capability for owners to expose HTTP or SSH management interfaces to the internet.
In their post-compromise operations, Volt Typhoon rarely employs malware. Instead, they heavily rely on utilizing living-off-the-land commands to search for information within the system, identify other devices connected to the network, and extract data.
As mitigation steps, Microsoft has recommended closing or changing credentials for all compromised accounts. It is crucial to identify local security authority subsystem service (LSASS) dumping and domain controller installation media creation to identify affected accounts. Examining the activity of compromised accounts for any malicious actions or exposed data has also been advised.
To reduce the risk of compromised legitimate accounts, Microsoft is encouraging customers to implement robust multifactor authentication (MFA) policies that utilize hardware security keys or Microsoft Authenticator. Additionally, passwordless sign-in, setting password expiration rules, and deactivating unused accounts can also be effective in mitigating the risks associated with this method of access. Protective process light (PPL) for LSASS, Windows Defender credential guard, and EDR in clock mode are a few licensed solutions that Microsoft has recommended for its users to protect against such attacks.
Guam hosts significant military installations of the United States, including the Andersen Air Force Base, which plays a crucial role in the event of any potential conflicts in the Asia Pacific region, including a move against Taiwan. Therefore, the information being accessed could be lucrative for cybercriminals, even though it is not yet clear what the attackers are after.
This is just one among the many state-sponsored cyberattacks against the US. Irrespective of where the cybercriminals hail, it is expected that such breaches will continue to occur. Experts have suggested that bolstering cybersecurity and implementing robust data protection measures will be key in mitigating the risks associated with cyberattacks. The US government will need to work closely with private companies to protect critical infrastructure and data from malicious activities. It is essential to enforce best practices such as credential rotation and MFA strictly, which will minimize the risks of major cybersecurity breaches.