Breaking

Chinese Cyberespionage Group ‘Volt Typhoon’ Targets Critical Infrastructure in the United States

Microsoft has identified a Chinese cyberespionage group known as Volt Typhoon, which has been conducting targeted attacks on critical infrastructure organizations across the United States, including Guam, since mid-2021.

The group’s activities span various sectors, such as government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Microsoft’s Threat Intelligence team believes that Volt Typhoon aims to develop capabilities that could disrupt vital communications infrastructure between the United States and Asia during future crises.

Who is Volt Typhoon and what are their targets?

Volt Typhoon is a Chinese cyberespionage group identified by Microsoft. They have been targeting critical infrastructure organizations in the United States, including Guam, since mid-2021.

Their targets encompass sectors like government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

What is the objective of the Volt Typhoon campaign?

The Volt Typhoon campaign, according to Microsoft’s assessment, aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.

How does Volt Typhoon gain access to targeted networks?

Volt Typhoon initially compromises Internet-exposed Fortinet FortiGuard devices by exploiting an undisclosed zero-day vulnerability.

Once inside the networks, they employ “living-off-the-land” tactics, utilizing hands-on-keyboard activity and living-off-the-land binaries (LOLBins), such as PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).

Which tools does Volt Typhoon employ in their attacks?

In addition to their own tools, Volt Typhoon has been observed using open-source tools like Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.

These details were included in a joint advisory released by the FBI, NSA, CISA, and cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada.

How does Volt Typhoon evade detection?

To evade detection, Volt Typhoon utilizes compromised small office and home office (SOHO) network equipment from various manufacturers, including ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel. This equipment, such as routers, firewalls, and VPN appliances, enables hackers to blend their malicious activity with legitimate network traffic.

Volt Typhoon Attack Flow (Source: Microsoft)

What privileges do the hackers obtain after compromising Fortinet devices?

Gaining privileged access after compromising Fortinet devices, the hackers extract credentials through the Local Security Authority Subsystem Service (LSASS), which they then leverage to deploy Awen-based web shells.

These web shells facilitate data exfiltration and persistence on compromised systems.

What is the potential motive behind Volt Typhoon’s attacks on US critical infrastructure?

According to Mandiant Intelligence Chief Analyst John Hultquist, these intrusions into US critical infrastructure organizations are likely part of a concerted effort to grant China access in the event of a future conflict between the two countries.

Hultquist suggests that targeting critical infrastructure is a common practice among states as they prepare for possible conflicts.

Is an imminent cyberattack expected from Volt Typhoon?

While the operations conducted by Volt Typhoon are aggressive and potentially dangerous, they do not necessarily indicate an immediate attack.

Similar long-term intrusions into critical infrastructure have been observed in the past by countries like Russia, targeting sectors such as oil and gas. However, these activities serve as preparations rather than indications of imminent attacks.

Microsoft has proactively reached out to the targeted or compromised customers to provide them with the necessary.

Share the article with your friends
William Marshal

William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding.

Recent Posts

Best Microsoft Intune Alternatives: Top 5 MDMs to Consider

Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…

1 day ago

Top 7 Best Smartphones with Best Security Features in 2024

Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…

3 weeks ago

Top 11 Log Management Tools for Efficient System Management

Discover the top 11 log management tools for efficient system management and monitoring. Learn about…

2 months ago

Top 5 Threat Intelligence Tools For 2024

Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…

2 months ago

Privileged Access Management: 5 Best PAM Solutions in the Market

Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…

2 months ago

Apple Device Management: Top Solutions for iOS and macOS Management

Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…

2 months ago