China-linked APT Volt Typhoon targets critical infrastructure organizations

Pierluigi Paganini May 25, 2023

A China-linked APT group, tracked as Volt Typhoon, breached critical infrastructure organizations in the U.S. and Guam without being detected.

China-linked APT cyber espionage group Volt Typhoon infiltrated critical infrastructure organizations in the U.S. and Guam without being detected. The group managed to maintain access without being detected for as long as possible.

According to Microsoft, the campaign aims at building capabilities that could disrupt critical communications infrastructure between the United States and Asia region in the case of future crises.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively  living-off-the-land techniques and hands-on-keyboard activity to evade detection.

In order to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and stay under the radar.

Volt Typhoon attack chain

Volt Typhoon targets internet-facing Fortinet FortiGuard devices to achieve initial access to targeted organizations. Then the attackers attempt to extract credentials to an Active Directory account used by the compromised device and use them for lateral movement by authenticating to other devices.

Upon gaining access to a target environment, the group conducts hands-on-keyboard activity via the command line. The researchers pointed out that the group rarely uses malware in the post-compromise phase.

“If the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that account to perform the following credential access activities.” continues the report. “Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials.”

Microsoft observed the Volt Typhoon dumping information from local web browser applications, then the attackers staged collected data in password-protected archives.

The experts concluded by warning organizations to be vigilant on successful sign-ins from unusual IP addresses that could represent C2 accesses.

Today, CISA joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor. 

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Volt Typhoon)



you might also like

leave a comment