A Chinese government hacking group has acquired a significant foothold inside critical infrastructure environments throughout the US and Guam and is stealing network credentials and sensitive data while remaining largely undetectable, Microsoft and governments from the US and four other countries said on Wednesday.
The group, tracked by Microsoft under the name Volt Typhoon, has been active for at least two years with a focus on espionage and information gathering for the People’s Republic of China, Microsoft said. To remain stealthy, the hackers use tools already installed or built into infected devices that are manually controlled by the attackers rather than being automated, a technique known as “living off the land.” In addition to being revealed by Microsoft, the campaign was also documented in an advisory jointly published by:
• US Cybersecurity and Infrastructure Security Agency (CISA)
• US Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)
Besides the living-off-the-land technique, the hackers further obscured their activity by using compromised home and small office routers as intermediate infrastructure that allows communications with infected computers to emanate from ISPs that are local to the geographic area. In Microsoft’s advisory, researchers wrote:
To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.
The Microsoft researchers said that the campaign is likely designed to develop capabilities for “disrupting critical communications infrastructure between the United States and Asia region during future crises.” Guam is important to the US military because of its Pacific ports and the air base it provides. As tensions over Taiwan have simmered, the strategic importance of Guam has become a focal point.
The initial entry point for the Volt Typhoon compromises is through Internet-facing Fortinet FortiGuard devices, which in recent years have proved to be a major beachhead for infecting networks. By exploiting vulnerabilities in FortiGuard devices that admins have neglected to patch, the hackers extract credentials to a network’s Active Directory, which stores usernames, password hashes, and other sensitive information for all other accounts. The hackers then use that data to infect other devices on the network.
“Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers),” Microsoft researchers wrote. “Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the Internet.”
The remainder of the advisory mostly outlines indicators of compromise that admins can use to determine if their networks have been infected.
Microsoft researchers wrote:
In most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access. They accomplish this with the built-in netsh portproxy command.
In rare cases, they also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy.
Compromised organizations will observe C2 access in the form of successful sign-ins from unusual IP addresses. The same user account used for these sign-ins may be linked to command-line activity conducting further credential access. Microsoft will continue to monitor Volt Typhoon and track changes in their activity and tooling.
Among the industries affected are communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. The advisories provide guidance for disinfecting any networks that have been compromised.