Microsoft today disclosed the detection of covert and targeted malicious activity aimed at critical infrastructure organizations in the United States. The attack is orchestrated by a state-sponsored group from China, known as Volt Typhoon, with the suspected objective of disrupting the communication infrastructure between the U.S. and Asia during potential future crises.

The Scope and Intention of Volt Typhoon Attacks: Volt Typhoon, active since mid-2021, has targeted U.S. organizations in sectors like communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education, with a particular emphasis on infrastructures in Guam. The group’s observed actions suggest a focus on espionage and the maintenance of undetected access for a prolonged period.

Stealth Tactics and Techniques Employed by the Attackers: The attackers have been meticulous in their approach, favoring living-off-the-land techniques and hands-on-keyboard activity to maintain a low profile. To collect data, the attackers issue commands via the command line, then archive and stage this data for exfiltration, often utilizing stolen credentials to maintain persistence. The group has also been seen blending into routine network activity by routing traffic through compromised small office/home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware.

Challenges in Detecting and Mitigating the Attacks: Custom versions of open-source tools are used by Volt Typhoon to establish a command and control (C2) channel over proxies to further stay under the radar. Microsoft warns that due to the group’s reliance on valid accounts and living-off-the-land binaries (LOLBins), detection and mitigation of these attacks can be challenging. The recommendation is to close or change compromised accounts as a countermeasure.

Insights, Mitigation Steps, and Cybersecurity Guidelines Provided by Microsoft and the NSA: Microsoft’s blog post provides comprehensive information on Volt Typhoon’s campaign, tactics, mitigation steps, and best practices. It also details how Microsoft 365 Defender identifies malicious and suspicious activity to protect organizations from such concealed attacks. The National Security Agency (NSA) has also released a Cybersecurity Advisory, serving as a hunting guide for the described tactics, techniques, and procedures.