Researchers at Microsoft Corp. today detailed a sophisticated cyberattack aimed at critical U.S. infrastructure, orchestrated by an alleged China-based state-sponsored actor.

The hacking group, known as Volt Typhoon, has been active since mid-2021 and is suspected of preparing to disrupt U.S.-Asia communication networks in potential future crises. The sectors affected by the campaign include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology and education.

The researchers said Volt Typhoon campaign emphasizes stealth, using advanced techniques such as living-off-the-land binaries of LOLBins and hands-on-keyboard activity. The group’s tactics include gathering credentials, staging data for exfiltration, and maintaining persistence in compromised systems using valid credentials.

The group obfuscates itself by attempting to blend with typical network activity by routing traffic through compromised small office and home office network equipment and establishing command-and-control channels over proxies using custom open-source tools.

According to the New York Times, U.S. intelligence agencies first became aware of the Volt Typhoon campaign in February, at around the same time an alleged Chinese spy balloon crossed North America. The infiltration is focused on communications infrastructure in Guam and other parts of the U.S., alarming intelligence officials because Guam is vital to any response to a future invasion of Taiwan.

The Microsoft researchers note that detecting and mitigating infiltration by Volt Typhoon can be difficult due to the use of valid accounts and LOLBins. To address compromised accounts, Microsoft has provided detailed information on Volt Typhoon’s activities, mitigation strategies, best practices and details on how Microsoft 365 Defender detects such activity.

“Because this activity relies on valid accounts and living-off-the-land binaries, detecting and mitigating this attack could be challenging,” the researchers note. “Compromised accounts must be closed or changed.”

The U.S. National Security has also published a Joint Cybersecurity Advisory alongside authorities from Australia, Canada, New Zealand and the U.K. — the so-called Five Eyes countries — containing a guide for the tactics, techniques and procedures employed in these types of attacks.

Microsoft has notified targeted or compromised customers directly and provided the necessary information to secure their systems.

“Geopolitical tensions are manifesting in cyberspace,” Tom Kellermann, senior vice president of Cyber Strategy at application security software platform provider Contrast Security Inc., told SiliconANGLE. “China is actively pulsing U.S. critical infrastructure before it invades Taiwan. These attacks, coupled with the debt crisis, will serve as a prelude for the invasion of Taiwan.”

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., noted that Volt Typhoon is interesting because it focuses on unpatched and insecure routers and other network devices and doesn’t use phishing as the primary initial access method.

“Most human-directed adversaries now ‘live off the land,’ using built-in tools and programs, making it significantly harder to detect malicious behavior,” Grimes explained. “Every organization must examine what anomalous behavior looks like when being used by malicious adversaries and how to detect and mitigate it.”

Photo: Pexels