Microsoft Threat Intelligence has recently revealed a stealthy and targeted cyberattack on critical infrastructure organizations in the United States. The attack, attributed to a state-sponsored actor called Volt Typhoon, originates from China and is known for its focus on espionage and information gathering. Microsoft assesses with moderate confidence that this campaign aims to develop capabilities that could disrupt critical communications infrastructure between the United States and Asia during future crises.
Volt Typhoon, active since mid-2021, has specifically targeted critical infrastructure organizations in Guam and various locations within the US. The affected sectors include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education. The threat actor’s primary objective appears to be long-term espionage and maintaining undetected access to target networks. Microsoft’s decision to highlight this activity stems from the concern of potential impact on its customers, as well as the need to raise broader awareness and encourage investigations and protections within the security ecosystem.
To achieve their objectives, Volt Typhoon heavily relies on living-off-the-land techniques and hands-on-keyboard activity, prioritizing stealth throughout their campaign. They utilize command-line instructions to collect data and credentials from local and network systems, stage the data for exfiltration, and maintain persistence using stolen valid credentials. Additionally, the threat actor employs compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware, to blend into normal network traffic. Custom versions of open-source tools are also employed to establish a command and control (C2) channel over proxy, allowing them to evade detection more effectively.
Given the utilization of legitimate accounts and living-off-the-land binaries (LOLBins), detecting and mitigating Volt Typhoon’s attacks pose significant challenges. Compromised accounts need to be closed or their credentials changed. Microsoft recommends a series of mitigation steps and best practices, including strong multi-factor authentication policies, reducing the attack surface, hardening processes like LSASS, and utilizing cloud-delivered protection.
Microsoft has directly notified targeted or compromised customers, offering essential information to secure their environments. Ongoing monitoring and tracking of Volt Typhoon’s activity and tooling will continue to provide insights for further defenses and response measures. The National Security Agency (NSA) has also released a Cybersecurity Advisory that includes a hunting guide for the tactics, techniques, and procedures (TTPs) discussed in Microsoft’s findings.
The discovery of the Volt Typhoon campaign highlights the persistent and evolving nature of state-sponsored cyber threats targeting critical infrastructure. It underscores the need for constant vigilance, enhanced cybersecurity measures, and industry-wide collaboration to ensure the resilience of critical systems and protect against potential disruptions that could have far-reaching consequences.