A Chinese-based threat actor has targeted critical infrastructure organizations in Guam and elsewhere in the United States since 2021, probably for espionage, says Microsoft.
In research released Wednesday, the company said the group it dubs Volt Typhoon “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.
Volt Typhoon usually gains initial access to targeted organizations somehow through internet-facing Fortinet FortiGuard devices, Microsoft adds. If it can, the attacker attempts to leverage any privileges afforded by the Fortinet device, extracts credentials for an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.
The gang proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco Systems, D-Link, Netgear and Zyxel, expose HTTP or SSH management interfaces to the internet.
Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface, Microsoft urges. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure, it notes.
At the same time as the Microsoft report was released, cybersecurity agencies from the Five Eyes intelligence co-operative, including Canada and the U.S., issued an advisory including hunting guidance and associated best practices for the private sector critical infrastructure bodies to detect this activity.
Microsoft said affected U.S. organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The tactics include issuing commands via the command line to collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence.
“In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.”
Some of the built-in Windows tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell, the Five Eyes advisory says.
The name Volt Typhoon comes from Microsoft’s new threat actor naming convention, where groups are named after weather events. Typhoon signifies a group from China.
Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging, says Microsoft. “Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts,” it says.
Among the recommended defences: Enforce strong multi-factor authentication (MFA) policies using hardware security keys or an authenticator app. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk, says Microsoft.
The Five Eyes advisory warns infosec leaders that when a threat actor uses living off-the-land techniques, some command lines activity might appear benign. “Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior,” the advisory warns. “Additionally, if creating detection logic based on these commands, network defenders should account for variability in command string arguments, as items such as ports used may be different across environments.”