Home / News

Stealth Cyberattacks by China’s Volt Typhoon Threaten U.S. Infrastructure: Microsoft Unmasks Espionage Campaign

Commands from Volt Typhoon setting up and removing a port proxy on an infiltrated system. Source: Microsoft

Microsoft today disclosed the detection of covert and targeted malicious activity aimed at critical infrastructure organizations in the United States. The attack is orchestrated by a state-sponsored group from China, known as Volt Typhoon, with the suspected objective of disrupting the communication infrastructure between the U.S. and Asia during potential future crises.

The Scope and Intention of Volt Typhoon Attacks: Volt Typhoon, active since mid-2021, has targeted U.S. organizations in sectors like communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education, with a particular emphasis on infrastructures in Guam. The group’s observed actions suggest a focus on espionage and the maintenance of undetected access for a prolonged period.

Stealth Tactics and Techniques Employed by the Attackers: The attackers have been meticulous in their approach, favoring living-off-the-land techniques and hands-on-keyboard activity to maintain a low profile. To collect data, the attackers issue commands via the command line, then archive and stage this data for exfiltration, often utilizing stolen credentials to maintain persistence. The group has also been seen blending into routine network activity by routing traffic through compromised small office/home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware.

Challenges in Detecting and Mitigating the Attacks: Custom versions of open-source tools are used by Volt Typhoon to establish a command and control (C2) channel over proxies to further stay under the radar. Microsoft warns that due to the group’s reliance on valid accounts and living-off-the-land binaries (LOLBins), detection and mitigation of these attacks can be challenging. The recommendation is to close or change compromised accounts as a countermeasure.

Insights, Mitigation Steps, and Cybersecurity Guidelines Provided by Microsoft and the NSA: Microsoft’s blog post provides comprehensive information on Volt Typhoon’s campaign, tactics, mitigation steps, and best practices. It also details how Microsoft 365 Defender identifies malicious and suspicious activity to protect organizations from such concealed attacks. The National Security Agency (NSA) has also released a Cybersecurity Advisory, serving as a hunting guide for the described tactics, techniques, and procedures.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC