Microsoft says a Chinese cyberespionage group it tracks as Volt Typhoon has been targeting critical infrastructure organizations across the United States, including Guam, an island hosting multiple military bases, since at least mid-2021.
Their targets and breached entities span a wide range of critical sectors, including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the Microsoft Threat Intelligence team said.
The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability.
After breaching the targets’ networks, they launch what Microsoft describes as “living-off-the-land” attacks with hands-on-keyboard activity and living-off-the-land binaries (LOLBins) such as PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).
However, they were also seen using open-source tools like Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework, according to a joint advisory published today by the FBI, NSA, CISA, and Five Eyes partners cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada.
To ensure that their malicious activity blends with legitimate network traffic to evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances.
Leveraging the privileged access obtained after compromising the Fortinet devices allows the state hackers to dump credentials through the Local Security Authority Subsystem Service (LSASS).
The stolen credentials allow them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.
As Mandiant Intelligence Chief Analyst John Hultquist told BleepingComputer, these intrusions into US critical infrastructure orgs are likely part of a concerted effort to provide China with access in the event of a future conflict between the two countries.
“There are a variety of reasons actors target critical infrastructure, but a persistent focus on these sectors may indicate preparation for disruptive or destructive cyberattack,” Hultquist said.
“States conduct long-term intrusions into critical infrastructure to prepare for possible conflict, because it may simply be too late to gain access when conflict arises. Similar contingency intrusions are regularly conducted by states.
“Over the last decade, Russia has targeted a variety of critical infrastructure sectors in operations that we do not believe were designed for immediate effect. China has done the same in the past, targeting the oil and gas sector. These operations are aggressive and potentially dangerous, but they don’t necessarily indicate attacks are looming.”
In line with its standard procedures for addressing nation-state actor activity, Microsoft says it proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.