Microsoft is sounding the alarm on a group it calls Volt Typhoon, another state-sponsored hacking group based in China that is targeting critical infrastructure organizations and leveraging living-off-the-land techniques and proxying its network traffic through compromised network edge devices and routers to evade detection.
Microsoft says Volt Typhoon is pursing development of capabilities that could disrupt critical communications infrastructure between the U.S. and Asia region during future crises. Although Microsoft’s research blog doesn’t mention Taiwan or the escalating tensions between the U.S. and China over the country, cyberattacks are now essentially expected to be a part of international crises after the cyberattacks that preluded Russian’s invasion of Ukraine.
Volt Typhoon’s victims
According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the U.S. Affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.
Volt Typhoon relies on stealth and almost exclusively living-off-the-land techniques and hands-on-keyboard activity to stay undetected. The group issues commands via the command line to collect data and credentials from local and network systems, put the data into an archive file to stage for exfiltration and uses stolen credentials to maintain persistence, researchers say.
The group also leverages compromised small office and home office (SOHO) network routers, firewalls and VPN hardware to route traffic through in an attempt to blend into normal network activity. The group also uses custom versions of open-source tools to establish a command-and-control channel over proxy to stay under the radar, Microsoft researchers say.
Volt Typhoon’s initial access
Volt Typhoon gains initial access to victim environments through internet-facing Fortinet FortiGuard devices, but Microsoft researchers don’t exactly know how, per the blog.
“Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices,” researchers write.
From there, the elleged China-based hacking group leverages privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and attempts to authenticate to other devices on the network with those credentials.
How Volt Typhoon evades detection
The elite China hacking group proxies its network traffic to its targets through compromised SOHO network edge devices, including routers.
“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet,” Microsoft researchers say.
In a separate advisory from the U.S. National Security Agency, officials get more specific about the device types, listing ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices. Owners of those network edge devices should ensure that management interfaces aren’t exposed to the public internet.
According to the NSA, Volt Typhoon further obscures activity by having their command-and-control traffic emanate from local ISPs in the geographic area of the victim.
Volt Typhoon’s discovery and data exfiltration
Once inside a target’s environment, Volt Typhoon uses the command line to conduct hands-on-keyboard activity. The group rarely uses malware, researchers say. Instead, they use living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data.
According to Microsoft, the alleged Chinese hacking group also uses a variety of legitimate tools, including the Local Security Authority Subsystem Service to dump credentials, the command-line tool Ntdsutil.exe to create installation media from domain controllers, and PowerShell, Windows Management Instrumentation Command-line and the ping command to discover other systems on the network.
According to the NSA, the group also exploits CVE-2021-40539 a vulnerability in ManageEngine ADSelfService Plus, and CVE-2021-27860, a vulnerability in the management interface of FatPipe WARP, IPVPN and MPVPN.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!