• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Microsoft, NSA Warn of Stealthy China-Sponsored Hacking Group Volt Typhoon

Microsoft, U.S. agencies say Volt Typhoon is a China-based state-sponsored threat actor that is stealthily targeting critical infrastructure.

May 24, 2023 Zachary Comeau Leave a Comment

China, Hacking, Microsoft, Routers, Volt Typhoon
Oz/stock.adobe.com

Microsoft is sounding the alarm on a group it calls Volt Typhoon, another state-sponsored hacking group based in China that is targeting critical infrastructure organizations and leveraging living-off-the-land techniques and proxying its network traffic through compromised network edge devices and routers to evade detection.

Microsoft says Volt Typhoon is pursing development of capabilities that could disrupt critical communications infrastructure between the U.S. and Asia region during future crises. Although Microsoft’s research blog doesn’t mention Taiwan or the escalating tensions between the U.S. and China over the country, cyberattacks are now essentially expected to be a part of international crises after the cyberattacks that preluded Russian’s invasion of Ukraine.

Volt Typhoon’s victims

According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the U.S. Affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.

Volt Typhoon relies on stealth and almost exclusively living-off-the-land techniques and hands-on-keyboard activity to stay undetected. The group issues commands via the command line to collect data and credentials from local and network systems, put the data into an archive file to stage for exfiltration and uses stolen credentials to maintain persistence, researchers say.

The group also leverages compromised small office and home office (SOHO) network routers, firewalls and VPN hardware to route traffic through in an attempt to blend into normal network activity. The group also uses custom versions of open-source tools to establish a command-and-control channel over proxy to stay under the radar, Microsoft researchers say.

Volt Typhoon’s initial access

Volt Typhoon gains initial access to victim environments through internet-facing Fortinet FortiGuard devices, but Microsoft researchers don’t exactly know how, per the blog.

“Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices,” researchers write.

From there, the elleged China-based hacking group leverages privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and attempts to authenticate to other devices on the network with those credentials.

How Volt Typhoon evades detection

The elite China hacking group proxies its network traffic to its targets through compromised SOHO network edge devices, including routers.

“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet,” Microsoft researchers say.

In a separate advisory from the U.S. National Security Agency, officials get more specific about the device types, listing ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices. Owners of those network edge devices should ensure that management interfaces aren’t exposed to the public internet.

According to the NSA, Volt Typhoon further obscures activity by having their command-and-control traffic emanate from local ISPs in the geographic area of the victim.

Volt Typhoon’s discovery and data exfiltration

Once inside a target’s environment, Volt Typhoon uses the command line to conduct hands-on-keyboard activity. The group rarely uses malware, researchers say. Instead, they use living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data.

According to Microsoft, the alleged Chinese hacking group also uses a variety of legitimate tools, including the Local Security Authority Subsystem Service to dump credentials, the command-line tool Ntdsutil.exe to create installation media from domain controllers, and PowerShell, Windows Management Instrumentation Command-line and the ping command to discover other systems on the network.

According to the NSA, the group also exploits CVE-2021-40539 a vulnerability in ManageEngine ADSelfService Plus, and CVE-2021-27860, a vulnerability in the management interface of FatPipe WARP, IPVPN and MPVPN.

Read Microsoft’s blog and the NSA advisory for more information, including indicators of compromise and recommended actions.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: China, Cybersecurity, Hacking, Microsoft, NSA

Related Content:

  • Yealink MeetingBoard Pro Yealink Launches MeetingBoard Pro to Elevate Meeting Equity…
  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.