• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Microsoft, NSA Warn of Stealthy China-Sponsored Hacking Group Volt Typhoon

Microsoft, U.S. agencies say Volt Typhoon is a China-based state-sponsored threat actor that is stealthily targeting critical infrastructure.

May 24, 2023 Zachary Comeau Leave a Comment

China, Hacking, Microsoft, Routers, Volt Typhoon
Oz/stock.adobe.com

Microsoft is sounding the alarm on a group it calls Volt Typhoon, another state-sponsored hacking group based in China that is targeting critical infrastructure organizations and leveraging living-off-the-land techniques and proxying its network traffic through compromised network edge devices and routers to evade detection.

Microsoft says Volt Typhoon is pursing development of capabilities that could disrupt critical communications infrastructure between the U.S. and Asia region during future crises. Although Microsoft’s research blog doesn’t mention Taiwan or the escalating tensions between the U.S. and China over the country, cyberattacks are now essentially expected to be a part of international crises after the cyberattacks that preluded Russian’s invasion of Ukraine.

Volt Typhoon’s victims

According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the U.S. Affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.

Volt Typhoon relies on stealth and almost exclusively living-off-the-land techniques and hands-on-keyboard activity to stay undetected. The group issues commands via the command line to collect data and credentials from local and network systems, put the data into an archive file to stage for exfiltration and uses stolen credentials to maintain persistence, researchers say.

The group also leverages compromised small office and home office (SOHO) network routers, firewalls and VPN hardware to route traffic through in an attempt to blend into normal network activity. The group also uses custom versions of open-source tools to establish a command-and-control channel over proxy to stay under the radar, Microsoft researchers say.

Volt Typhoon’s initial access

Volt Typhoon gains initial access to victim environments through internet-facing Fortinet FortiGuard devices, but Microsoft researchers don’t exactly know how, per the blog.

“Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices,” researchers write.

From there, the elleged China-based hacking group leverages privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and attempts to authenticate to other devices on the network with those credentials.

How Volt Typhoon evades detection

The elite China hacking group proxies its network traffic to its targets through compromised SOHO network edge devices, including routers.

“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet,” Microsoft researchers say.

In a separate advisory from the U.S. National Security Agency, officials get more specific about the device types, listing ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices. Owners of those network edge devices should ensure that management interfaces aren’t exposed to the public internet.

According to the NSA, Volt Typhoon further obscures activity by having their command-and-control traffic emanate from local ISPs in the geographic area of the victim.

Volt Typhoon’s discovery and data exfiltration

Once inside a target’s environment, Volt Typhoon uses the command line to conduct hands-on-keyboard activity. The group rarely uses malware, researchers say. Instead, they use living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data.

According to Microsoft, the alleged Chinese hacking group also uses a variety of legitimate tools, including the Local Security Authority Subsystem Service to dump credentials, the command-line tool Ntdsutil.exe to create installation media from domain controllers, and PowerShell, Windows Management Instrumentation Command-line and the ping command to discover other systems on the network.

According to the NSA, the group also exploits CVE-2021-40539 a vulnerability in ManageEngine ADSelfService Plus, and CVE-2021-27860, a vulnerability in the management interface of FatPipe WARP, IPVPN and MPVPN.

Read Microsoft’s blog and the NSA advisory for more information, including indicators of compromise and recommended actions.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: China, Cybersecurity, Hacking, Microsoft, NSA

Related Content:

  • Cisco Live 2023 Cisco Live 2023: Simplified Management, Enhanced Security, AI
  • Phishing, Email security Email Attacks are Evading Security Protections. Here’s How…
  • MOVEit, ransomware, CVE-2023-34362, Ransomware Groups Confirmed to be Exploiting MOVEit Bug
  • Shure Stem Ecosystem Shure: Democratizing Conferencing Hardware With The Stem Ecosystem

Free downloadable guide you may like:

  • Download TechDecisions' Blueprint Series report on Security Awareness now!Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

    Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared to defend against them in this report from TechDecisions' Blueprint Series.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Download TechDecisions' Blueprint Series report on Security Awareness now!
Blueprint Series: Why Your Security Awareness Program is Probably Falling Short

Learn about the evolution of phishing attacks and best practices for security awareness programs to ensure your organization is properly prepared t...

Workplace Collaboration Tools for Corporate Spaces
Workplace Collaboration Tools for Corporate Spaces

From lobbies and shared spaces to conference rooms and multipurpose facilities, you need high-performing AV technology to effectively share informa...

ChatGPT, generative AI, enterprise, workplace
Blueprint Series: ChatGPT and Generative AI in the Workplace

This latest release of the TechDecisions Blueprint Series explores the new phenomenon of tools such as ChatGPT and how IT leaders should go about d...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.