Microsoft has identified a Chinese cyberespionage group known as Volt Typhoon, which has been conducting targeted attacks on critical infrastructure organizations across the United States, including Guam, since mid-2021.
The group’s activities span various sectors, such as government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
Microsoft’s Threat Intelligence team believes that Volt Typhoon aims to develop capabilities that could disrupt vital communications infrastructure between the United States and Asia during future crises.
Volt Typhoon is a Chinese cyberespionage group identified by Microsoft. They have been targeting critical infrastructure organizations in the United States, including Guam, since mid-2021.
Their targets encompass sectors like government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
The Volt Typhoon campaign, according to Microsoft’s assessment, aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.
Volt Typhoon initially compromises Internet-exposed Fortinet FortiGuard devices by exploiting an undisclosed zero-day vulnerability.
Once inside the networks, they employ “living-off-the-land” tactics, utilizing hands-on-keyboard activity and living-off-the-land binaries (LOLBins), such as PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).
In addition to their own tools, Volt Typhoon has been observed using open-source tools like Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.
These details were included in a joint advisory released by the FBI, NSA, CISA, and cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada.
To evade detection, Volt Typhoon utilizes compromised small office and home office (SOHO) network equipment from various manufacturers, including ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel. This equipment, such as routers, firewalls, and VPN appliances, enables hackers to blend their malicious activity with legitimate network traffic.
Gaining privileged access after compromising Fortinet devices, the hackers extract credentials through the Local Security Authority Subsystem Service (LSASS), which they then leverage to deploy Awen-based web shells.
These web shells facilitate data exfiltration and persistence on compromised systems.
According to Mandiant Intelligence Chief Analyst John Hultquist, these intrusions into US critical infrastructure organizations are likely part of a concerted effort to grant China access in the event of a future conflict between the two countries.
Hultquist suggests that targeting critical infrastructure is a common practice among states as they prepare for possible conflicts.
While the operations conducted by Volt Typhoon are aggressive and potentially dangerous, they do not necessarily indicate an immediate attack.
Similar long-term intrusions into critical infrastructure have been observed in the past by countries like Russia, targeting sectors such as oil and gas. However, these activities serve as preparations rather than indications of imminent attacks.
Microsoft has proactively reached out to the targeted or compromised customers to provide them with the necessary.
Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…
Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…
Discover the top 11 log management tools for efficient system management and monitoring. Learn about…
Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…
Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…
Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…