A Chinese nation-state threat group is conducting intrusion and espionage campaigns against U.S. critical infrastructure entities, according to a new report by Microsoft.
In a blog post Wednesday, Microsoft Threat Intelligence detailed the ongoing campaign that involves a group of Chinese state-sponsored hackers it tracks as "Volt Typhoon" that's been active since 2021. Because the campaign leverages living-off-the-land techniques and rarely uses malware, Microsoft warned that detecting and mitigating the attack presents challenges for enterprises.
Microsoft discovered the initial access point for the attacks was vulnerable Fortinet FortiGuard devices, though the company said it was still investigating how Volt Typhoon actors gained access to the devices. To further evade detection, Volt Typhoon used a variety of small office/home office network edge devices, including routers, firewalls and VPN hardware, as proxies to commit these campaigns.
Microsoft warned that the edge devices, which include those manufactured by Asus, Cisco, D-Link, Netgear and Zyxel, allow customers to expose HTTP or SSH management interfaces to the internet, which makes them vulnerable to attacks without their knowledge. The threat actors use the proxies to establish a command and control channel that blends in with normal network activity and evades detection.
The blog post also addressed attack motivation. "Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," Microsoft wrote in the blog post.
While tracking the campaign, Microsoft observed that Volt Typhoon threat actors prioritized stealth by relying on living-off-the-land techniques and hands-on-keyboard activity with open source tools and command-line actions. Those tactics are employed to gain post-compromise credential access and network system discovery on victim machines.
Throughout the blog, Microsoft emphasized that Volt Typhoon's primary goals are to "perform espionage and maintain access without being detected for as long as possible." Affected organizations in the U.S. and Guam include communications, manufacturing, utility, transportation, maritime, government, IT and education sectors.
If they are successful in hacking a Fortinet device, Volt Typhoon actors then steal credentials to an Active Directory account and use them to try to authenticate other devices on the network.
"In most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access," the blog post read.
Microsoft said it directly notified customers affected by Volt Typhoon campaigns.
Remediation for affected organizations requires closing or changing credentials for compromised accounts. To defend against the ongoing threat, Microsoft recommended implementing strong multifactor authentication and hardening the Local Authority Security Subsystem Service, which Volt Typhoon used to dump credentials.
Government agencies issue advisory
Concurrent with Microsoft's blog post Wednesday, the U.S. National Security Agency (NSA) issued a joint cybersecurity advisory on Volt Typhoon along with CISA, the FBI and government agencies of the Five Eyes Alliance. In addition to indicators of compromise and tactics, techniques and procedures (TTP), the advisory also provided threat-hunting techniques and recommended best practices.
The advisory listed specific vulnerabilities the attackers have exploited. The first is an authentication bypass vulnerability in Zoho ManageEngine tracked as CVE-2021-40539. The second is a vulnerability in the web management interface in certain FatPipe software that was assigned CVE-2021-27860. Both flaws received a critical 9.8 CVSS score and were updated in 2021.
Like Microsoft, the government advisory also emphasized how the attackers employ living-off-the-land techniques to be stealthy.
"This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations," the NSA wrote in the advisory.
The NSA said enterprises should be logging and monitoring command-line execution and Windows Management Infrastructure events. To address the threat of stolen credentials, the advisory said administrators should limit proxy usage within environments.
Mandiant said it also observed Volt Typhoon activity. John Hultquist, chief analyst at Mandiant Intelligence, part of Google Cloud, said the vendor recognized the threat group from a series of intrusions targeting air, maritime and land transportation, as well as other organizations. Like Microsoft, Hultquist said the state-sponsored actors might be preparing for a disruptive or destructive cyber attack.
"States conduct long-term intrusions into critical infrastructure to prepare for possible conflict because it may simply be too late to gain access when conflict arises," Hultquist said in an email to TechTarget Editorial. "Similar contingency intrusions are regularly conducted by states. Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect. China has done the same in the past, targeting the oil and gas sector."
While the intrusion campaign might be aggressive and potentially dangerous, Hultquist said it doesn't necessarily indicate full attacks are looming. A deteriorating geopolitical situation would be a better indicator of potential attacks, he said.
"A destructive and disruptive cyber attack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict," Hultquist said. "Chinese cyberthreat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyber attacks. As a result, their capability is quite opaque. This disclosure is a rare opportunity to investigate and prepare for this threat."
Arielle Waldman is a Boston-based reporter covering enterprise security news.