Microsoft has recently unearthed a sophisticated and targeted cyberattack carried out by a Chinese state-sponsored group called Volt Typhoon. The attack specifically targets critical infrastructure organizations in the United States, with the aim of gaining unauthorized access and conducting espionage activities. Microsoft’s assessment indicates that Volt Typhoon is developing capabilities that could potentially disrupt crucial communications infrastructure between the United States and the Asia region during future crises.
Volt Typhoon has been active since mid-2021 and has previously targeted critical infrastructure organizations in Guam and other parts of the United States. The affected organizations span various sectors, including communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education. The group’s behaviour suggests a focus on long-term access and espionage, aiming to remain undetected within target networks.
To achieve their objectives, Volt Typhoon employs stealthy tactics and heavily relies on living-off-the-land techniques, utilizing existing tools and legitimate processes within compromised systems. They collect data, including credentials, from both local and network systems, archive the data for exfiltration, and use stolen credentials to maintain persistence within the network.
Additionally, the group camouflages its activities by routing network traffic through compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware. They have also been observed using customized versions of open-source tools to establish command and control channels, further evading detection.
China’s Response to the Allegations
Following Microsoft’s report, China has vehemently denied the allegations. The Chinese government dismissed the report as “extremely unprofessional” and accused the United States and its Western allies of engaging in a collective disinformation campaign. China’s foreign ministry spokeswoman, Mao Ning, stated that the report was a result of the geopolitical agenda of the Five Eyes coalition countries led by the United States.
Mao Ning further criticized the involvement of certain companies in disseminating what she referred to as “disinformation.” She claimed that the United States was expanding new channels to spread false narratives but emphasized that no change in tactics could alter the fact that the US is a “hacker empire.”
In response to the allegations, the United States and its allies defended the report’s findings, highlighting the use of “living off the land” tactics employed by the Volt Typhoon. This approach involves leveraging built-in network tools and legitimate system administration commands within Windows systems to blend in with normal operations. The report warned that these tactics allowed the hackers to appear benign and camouflage their malicious activities.
How to Stay Safe from the Attack
Microsoft has directly notified targeted or compromised customers, sharing crucial information to help them secure their environments. The company emphasizes the importance of tracking threat actors and has provided insights into its new threat actor naming taxonomy.
Organizations affected by this campaign are advised to close or change credentials for all compromised accounts, examine the activity of compromised accounts for malicious actions or exposed data, and implement measures such as strong multi-factor authentication, reducing the attack surface, and enabling cloud-delivered protection and endpoint detection and response (EDR) in block mode.
Microsoft continues to work on tracking and responding to the activities of Volt Typhoon and other nation-state threat actors, emphasizing the importance of collaboration and vigilance in safeguarding critical infrastructure and sensitive systems.