On Wednesday, Microsoft and governmental agencies from the US and four other nations disclosed that a Chinese government-backed hacking group has managed to establish a significant presence within critical infrastructure systems across the US and Guam. Operating under Volt Typhoon, the group has conducted covert operations focused on espionage and acquiring sensitive information for the People’s Republic of China over the past two years.
To maintain their stealthy operations, the hackers have employed a technique called “living off the land,” utilizing existing tools and functionalities already on compromised devices. By manually controlling these infected systems rather than relying on automated processes, the hackers have managed to evade detection for an extended period. The severity of the situation prompted Microsoft, alongside the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK), to issue a joint advisory detailing the campaign.
The revelation of this successful infiltration raises concerns about the extent of espionage activities carried out by state-sponsored hacking groups, highlighting the ongoing importance of robust cybersecurity measures within critical infrastructure sectors.
Sophisticated Use of Compromised Routers to Mask Communications Origins
In addition to employing the living-off-the-land technique, the hackers took further steps to conceal their actions by utilizing compromised home and small-office routers as intermediary infrastructure. This strategy allowed them to establish communications between infected computers and appear as if the transmissions were originating from local internet service providers (ISPs) in specific geographic areas. The researchers highlighted this aspect in Microsoft’s advisory, emphasizing the sophisticated methods employed by the hacking group to obfuscate their activities.
Microsoft’s advisory researchers wrote, “To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using customized versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.”
According to Microsoft researchers, the Volt Typhoon campaign aims to develop capabilities that could potentially disrupt critical communications infrastructure between the United States and the Asia region in future crises. The strategic importance of Guam, with its Pacific ports and air base, has made it a focal point as tensions surrounding Taiwan continue to simmer.
The exploitation of Fortinet FortiGuard Devices and Compromised Routers as Key Entry Points
The initial entry point for the hackers involves exploiting vulnerabilities in Internet-facing Fortinet FortiGuard devices, which have become a common target for network infections in recent years. Neglected patches on these devices allow hackers to extract credentials from a network’s Active Directory. This directory stores sensitive information such as usernames, password hashes, and other crucial data for all user accounts. The compromised credentials are then utilized to infect other devices within the network.
Volt Typhoon employs compromised small-office/home-office (SOHO) network edge devices, including routers, to obfuscate their activities to proxy all network traffic towards their targets. This approach allows them to direct their attacks through these compromised devices. The advisory by Microsoft also indicates that several well-known manufacturers, such as ASUS, Cisco, D-Link, NETGEAR, and Zyxel, have devices that may expose HTTP or SSH management interfaces to the internet, providing potential points of entry for the hackers.
The remainder of the advisory primarily focuses on providing indicators of compromise that network administrators can use to determine whether their networks have been infected. These indicators serve as valuable insights to aid in detecting and mitigating the Volt Typhoon campaign.
Numerous industries have been impacted by the Volt Typhoon campaign, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. The issued advisories offer comprehensive guidance to assist in the disinfection of compromised networks within these industries. This guidance aims to help affected organizations identify and eliminate the presence of the Volt Typhoon hackers from their networks, ensuring network security and integrity restoration.
