On May 24, Microsoft released a blog report on its website that they have “…uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organisations in the United States”. They alleged that a Chinese state-sponsored group, “Volt Typhoon”, was behind this attack, and it focused on “espionage” and “information gathering”.
According to Microsoft, the hacking group Volt Typhoon is developing “…capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises”.
Microsoft claimed that this group infects their target’s existing computers to uncover information and retrieve data instead of utilising conventional hacking approaches, which often entail duping a victim into downloading malicious files.
The tech-giant has been tracking this hacking group for quite some time. This group has been active since mid-2021 and “…targeted critical infrastructure organisations in Guam and elsewhere in the United States”. These affected organisations belonged to various different sectors such as communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. Though it is unclear how many organisations were impacted.
Microsoft said in its report that “mitigating this attack could be challenging”. The US National Security Agency (NSA) released a Cybersecurity Advisory (CSA) titled “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection” on May 24. The agency stated that they’re trying to identify breaches by working with their partners, including Canada, New Zealand, Australia, and the United Kingdom.
The agencies of these partner countries involved in “hunting” and “detecting” this attack are as follows:
• US Cybersecurity and Infrastructure Security Agency (CISA)
• US Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)
Despite the fact that Chinese hackers are known to spy on Western nations, this is one of the largest documented cyber espionage missions targeting American critical infrastructure, as per the reports. CISA Director Jen Easterly said, “For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organisations around the globe”.
In a statement NSA Cybersecurity Director Rob Joyce said, “A PRC (People’s Republic of China) state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind”.
The FBI’s Cyber Division Assistant Director Bryan Vorndran stated it would continue “…to warn against China engaging in malicious activity with the intent to target critical infrastructure organisations and use identified techniques to mask their detection”. He added, “We, along with our federal and international partners, will not allow the PRC (People’s Republic of China) to continue to use these unacceptable tactics”.
The NCSC Director of Operations, Paul Chichester, urged UK essential service providers to take action against attackers and follow their guidance “… to help detect this malicious activity and prevent persistent compromise”.
The Head of the Canadian Centre for Cyber Security, Sami Khoury, highlights the importance of working together against this threat, “The interconnected nature of our infrastructures and economies highlights the importance of working together with our allies to identify and share real-time threat information”.
The CSA also mentioned that “their (Volt Typhoon) primary tactics, techniques, and procedures (TTP) of living off the land, the PRC actor uses tools already installed or built into a target’s system. This allows the actor to evade detection by blending in with normal Windows systems and network activities, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity that is captured in default logging configurations”.
The NSA advises network defenders to use the CSA’s detection and hunting guidance, “…such as logging and monitoring of command line execution and WMI events, as well as ensuring log integrity by using a hardened centralised logging server, preferably on a segmented network”.