A Chinese government hacking group has gained a significant foothold in critical infrastructure environments in the US and Guam, stealing network credentials and sensitive data while remaining largely undetectable, Microsoft and governments from the US and four other countries said Wednesday.
The group, followed by Microsoft under the name Volt Typhoon, has been operating for at least two years with a focus on espionage and intelligence gathering for the People’s Republic of China, Microsoft said. To maintain a low profile, the hackers use tools already installed or built into infected devices that are manually controlled by the attackers rather than automated, a technique known as “living off the land.” In addition to being revealed by Microsoft, the campaign was documented in an advisory jointly published by:
• US Cybersecurity and Infrastructure Security Agency (CISA)
• US Federal Bureau of Investigation (FBI)
• Australian Cybersecurity Center (ACSC)
• Canadian Center for Cybersecurity (CCCS)
• New Zealand National Cyber Security Center (NCSC-NZ)
• United Kingdom National Cyber Security Center (NCSC-UK)
In addition to the living-off-the-land technique, the hackers further obscured their activity by using compromised home and small office routers as intermediary infrastructure that allows communication with infected computers from ISPs local to the geographic area. In Microsoft’s advisory, researchers wrote:
To achieve their goal, the threat actor places a heavy emphasis on stealth in this campaign, relying almost exclusively on live off-the-land techniques and hands-on keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) place the data in an archive file for exfiltration, and then (3) use the stolen valid credentials for tenacity. In addition, Volt Typhoon attempts to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using modified versions of open source tools to establish a command and control channel (C2) via proxy to further stay under the radar.
The Microsoft researchers said the campaign is likely designed to develop capabilities for “disrupting critical communications infrastructure between the United States and Asia during future crises.” Guam is important to the US military because of the Pacific ports and air base it provides. As tensions over Taiwan have eased, Guam’s strategic importance has become a focus.
The first entry point for the Volt Typhoon compromises is through Internet-facing Fortinet FortiGuard devices, which have proven to be an important beachhead for infecting networks in recent years. Exploiting vulnerabilities in FortiGuard devices that administrators failed to patch, the hackers extract credentials for a network’s Active Directory, which stores usernames, password hashes, and other sensitive information for all other accounts. The hackers then use that data to infect other devices on the network.
“Volt Typhoon directs all of its network traffic to its targets through compromised SOHO network peripherals (including routers),” Microsoft researchers wrote. “Microsoft has confirmed that many of the devices, including those from ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the Internet.”
The rest of the advice mainly outlines indicators of infection that administrators can use to determine if their networks are infected.
Microsoft researchers wrote:
In most cases, Volt Typhoon gains access to compromised systems by logging in with valid credentials, just as authorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access. They accomplish this with the built-in netsh portproxy command.
In rare cases, they also use modified versions of open source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel via proxy.
Compromised organizations will observe C2 access in the form of successful logins from unusual IP addresses. The same user account used for these logins can be associated with command-line activity that enables further credential access. Microsoft will continue to monitor Volt Typhoon and track changes in their activity and tooling.
Affected industries include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education. The advisories provide guidelines for disinfecting compromised networks.