Critical infrastructure organizations across the United States have been under a stealthy cyberattack. The culprit? A Chinese cyberespionage group that Microsoft has been tracking under the name “Volt Typhoon”. These attacks, which have been ongoing since mid-2021, have targeted a diverse range of sectors from government and maritime to education and manufacturing.
The hackers have gone to great lengths to develop disruption capabilities. Their focus? The critical communications infrastructure between the United States and the Asia region. Their method of infiltration involves exploiting an undisclosed vulnerability in Fortinet FortiGuard devices, an aspect of network security often exposed to the internet.
Once inside their target networks, the hackers employ a strategy known as “living-off-the-land”. This technique involves using common, often legitimate, tools already present on the compromised systems, allowing them to remain undetected.
Furthermore, the attackers have cleverly manipulated small office and home office (SOHO) network equipment from brands such as ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel. This manipulation allows their malicious activity to blend seamlessly with legitimate network traffic, thereby evading detection.
Leveraging their privileged access, the hackers have been able to harvest credentials via the Local Security Authority Subsystem Service (LSASS). These stolen credentials then enable them to deploy Awen-based web shells, thereby establishing persistence on the compromised systems and facilitating data exfiltration.
Mandiant Intelligence Chief Analyst John Hultquist suggests that these attacks are more than random infiltrations. He believes they form part of a broader strategy aimed at preparing for a potential future conflict between China and the United States, with these long-term intrusions serving as contingency plans.
In light of these stealthy and potentially dangerous attacks, Microsoft has taken proactive measures. The tech giant has reached out to all customers who were either targeted or compromised during these attacks, providing them with crucial information to bolster their defenses and secure their networks against future hacking attempts.