With tensions rising in the South China Sea, there are fears a China-linked advanced persistent threat group’s (APT) infiltration of critical U.S. infrastructure could be a precursor to an attack on Western military communication links in Asia.
Microsoft has discovered a “stealthy and targeted” campaign affecting organizations across a range of industries, carried out by what it says is a state-sponsored China-based APT group.
The group, which Microsoft calls Volt Typhoon, has been active since mid-2021 and has successfully targeted critical infrastructure organizations in Guam and elsewhere in the United States.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the company said in an advisory issued May 24.
Organizations affected by Volt Typhoon’s campaign cover a range of sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education, Microsoft said.
The Cybersecurity and Infrastructure Security Agency, in conjunction with several security agencies in the U.S. and overseas, issued a tandem Volt Typhoon advisory on May 24, providing additional details on how to hunt for the threat.
The group’s targeting of infrastructure organizations in Guam has raised concerns given the island’s strategic significance as a U.S. military base close to Taiwan, at a time when there are heightened military tensions between China and the West.
“Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft’s advisory said.
There are fears Volt Typhoon’s campaign could culminate in a cyberattack aimed at cutting communications in order to disrupt the U.S.’s ability to respond to a Chinese military action against Taiwan.
John Hultquist, chief analyst at Mandiant Intelligence — Google Cloud, said while Volt Typhoon’s actions could indicate the group was preparing for a disruptive or destructive cyberattack, such an attack was not necessarily imminent.
“Preparation does not mean attacks are inevitable. States conduct long-term intrusions into critical infrastructure to prepare for possible conflict, because it may simply be too late to gain access when conflict arises,” he said.
“These operations are aggressive and potentially dangerous, but they don't necessarily indicate attacks are looming. A far more reliable indicator for destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict.”
Hultquist said unlike other cyber-aggressive nation-states, China did not regularly resort to destructive and disruptive cyberattacks. “As a result, their capability is quite opaque. This disclosure is a rare opportunity to investigate and prepare for this threat.”
Volt Typhoon’s attack chain
According to Microsoft, the threat actor puts strong emphasis on stealth, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.
In a bid to exfiltrate as much data as possible, by remaining undetected for as long as possible, the group went to the extent of routing its traffic through compromised small office and home office (SOHO) network equipment — such as routers, firewalls, and VPN hardware — so it blended in with normal network traffic. Such devices have quickly become weak points in the cyber defenses of many organizations as the COVID-19 pandemic pushed more employees to work from home.
Volt Typhoon gains initial access to organizations through internet-facing Fortinet FortiGuard devices. While Microsoft said it was still investigating exactly how access was gained, Fortinet devices have previously been targeted by attack groups.
“The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” Microsoft said.
After gaining access, the group focused on “hands-on-keyboard activity,” issuing commands via the command line to collect data and credentials, and move them to archive files for exfiltration, while using stolen credentials to maintain persistence.
Microsoft said it had observed Volt Typhoon discovering system information, including file system types, drive names, size, and free space, running processes, and open networks.
“They also attempt to discover other systems on the compromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and the ping command,” Microsoft said.
Hardening defenses to mitigate third-party risk
Bob Kolasky, a former director of the National Risk Management Center at the Department of Homeland Security, told SC Media that while government officials have been preparing for a generic scenario similar to what Microsoft reported, the evidence that Chinese actors are living off the land “indicates a possible escalation of China’s intent and capability” related to Beijing’s interests in Asia.
“The actual functioning of critical infrastructure is not easy to understand and for adversaries to be successful at causing mass effect they need to spend time understanding particular systems,” said Kolasky, now a senior vice president for critical infrastructure at private firm Exiger. “This drawn out activity, intended to avoid detection, suggests the Chinese are doing just that.”
Many national security functions in the United States still rely on “outside the fence line” services provided by third parties, and those services often result in weak points or areas of entry for state-aligned hackers to attack. The U.S. government has worked to build redundancy and contingency plans for some of these functions, but they remain vulnerable to a dedicated and sophisticated adversary.
“This is particularly true as it relates to means of moving goods and people and command and control communications. Disruptions in either of these areas impact logistical supply chains and potential response and recover activity,” said Kolasky.
The incident has gained the attention of legislators responsible for oversight over critical infrastructure. In a statement, House Homeland Security Committee chair Mark Green, R-Tenn., and its cyber subcommittee chair Andrew Garbarino, R-N.Y., said they have requested a briefing from the administration to better understand the scope of the malicious activity and how executive branch agencies are responding.
“Our committee is charged with securing the homeland, and we must be nimble to address the increasingly complex threats we face within the cyber domain. It is extremely concerning to see adversaries using built-in network administration tools within domestic infrastructure to carry out these attacks," Green and Garbarino said. "Critical infrastructure owners and operators across the U.S. should implement the mitigation recommendations listed in the advisory as soon as possible to prevent cascading impacts across these critical sectors that support our economy and way of life."
Protecting against Volt Typhoon attacks
Due to the group’s use of valid accounts and living-off-the-land binaries, detecting and mitigating the type of attacks Volt Typhoon carried out was “particularly challenging,” Microsoft warned.
“Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts.”
Multi-factor authentication would reduce the risk of valid accounts being compromised, Microsoft said.
“Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.”
If accounts were compromised, they should be examined for any activity indicating malicious actions had been taken or data exposed.