Microsoft said on Wednesday that Chinese state-sponsored hackers attacked “critical” U.S. cyber infrastructure.
“Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States,” Microsoft wrote.
The cyber attack reportedly was carried out by a hacking group called “Volt Typhoon,” which usually focuses on espionage and information gathering.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” Microsoft added.
Volt Typhoon, a Chinese state-sponsored actor, uses living-off-the-land (LotL) and hands-on-keyboard TTPs to evade detection and persist in an espionage campaign targeting critical infrastructure organizations in Guam and the rest of the United States. https://t.co/FZxjfiA0Hw
— Microsoft Threat Intelligence (@MsftSecIntel) May 24, 2023
From Microsoft:
Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.
To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.
ADVERTISEMENT
The National Security Agency @NSACyber has released a Cybersecurity Advisory with additional information and hunting guide for Volt Typhoon TTPs: https://t.co/BLoh7f6fzK pic.twitter.com/iEn2K8Kx2B
— Microsoft Threat Intelligence (@MsftSecIntel) May 24, 2023
The National Security Agency published this press release:
The National Security Agency (NSA) and partners have identified indicators of compromise (IOCs) associated with a People’s Republic of China (PRC) state-sponsored cyber actor using living off the land techniques to target networks across U.S. critical infrastructure.
“Cyber actors find it easier and more effective to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” said Rob Joyce, NSA Cybersecurity Director. “That makes it imperative for us to work together to find and remove the actor from our critical networks.”
To assist network defenders to hunt and detect this type of PRC actor malicious activity on their systems, NSA is leading U.S. and Five Eyes partner agencies in publicly releasing the “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection” Cybersecurity Advisory (CSA) today.
According to CNBC, U.S. intelligence agencies became aware of the cyber-attacks around the same time a Chinese spy balloon soared across the United States.
From CNBC:
U.S. intelligence agencies became aware of the incursion in February, around the same time that a Chinese spy balloon was downed, the New York Times reported.
The infiltration was focused on communications infrastructure in Guam and other parts of the U.S., the Times reported, and was particularly alarming to U.S. intelligence because Guam sits at the heart of an American military response in case of a Taiwanese invasion.
Volt Typhoon is able to infiltrate organizations using a unnamed vulnerability in a popular cybersecurity suite called FortiGuard, Microsoft said. Once the hacking group has gained access to a corporate system, it steals user credentials from the security suite and uses them to try to gain access to other corporate systems.
ADVERTISEMENTThe state-sponsored hackers aren’t looking to create disruption yet, Microsoft said. Rather, “the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”
Infrastructure in nearly every critical sector has been impacted, Microsoft said, including the communications, transport, and maritime industries. Government organizations were also targeted.
Chinese government-backed hackers have targeted critical and sensitive information from U.S. companies before. Covington and Burling, a prominent law firm, was hacked by suspected Chinese state-sponsored hackers in 2020.
Earlier this week, reports broke that U.S. senators received satellite phones in case of a “disruptive event.”
Senators Being Prepped For ‘Disruptive Event’—What Do They Know?
Not to mention this creepy example of 'misinformation' used by the FDA.
Is there a legitimate threat from a Chinese state-sponsored actor?
Or, could the U.S. government be prepping the population for a false flag event?
Join the conversation!
Please share your thoughts about this article below. We value your opinions, and would love to see you add to the discussion!