Microsoft has detected stealthly and targeted malicious attacks that are primarily focused on the access of credentials and exploration of network systems following a successful compromise. These operations target essential infrastructure organisations in the United States and are orchestrated by Volt Typhoon, a China-based state sponsored actor , who engages in information gathering and espionage. Microsoft believes that the current Volt Typhoon campaign is developing capabilities with the potential to disrupt critical communication infrastructures between the United States and Asia during a potential future crises.
Active since mid-2021, Volt Typhoon has targeted key infrastructure organisations in Guam and other parts of the United States. The campaign has impacted organisations across various sectors, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. The observed behaviour indicates the threat actor’s intention to carry out espionage and maintain undetected access for an extended period. While Microsoft’s visibility into these threats has allowed for the deployment of detection methods for their customers, the lack of insight into other parts of the actor’s activities has pushed for broader industry awareness, investigations, and protective measures across the security ecosystem.
To meet Volt Typhoon’s goals, the threat actor heavily focuses on maintaining stealth in this campaign, predominantly using living-off-the-land techniques and hands-on-keyboard activity. They utilise the command line to collect data, including local and network system credentials, stage the data for exfiltration by storing it in an archive file, and use the stolen valid credentials to ensure persistence. Furthermore, Volt Typhoon attempts to mimic regular network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They’ve been observed using customised versions of open-source tools to create a command and control (C2) channel via a proxy to further remain undetected.
As highlighted in information released by Microsoft, this current Volt Typhoon campaign is predominately against critical infrastructure providers, using methods to gain and maintain unauthorised access to targeted networks. Given the reliance of this activity on valid accounts and living-off-the-land binaries (LOLBins), the detection and mitigation of this attack could prove difficult. Hence, it is crucial that compromised accounts are closed or altered.
The National Security Agency (NSA) has also issued a Cybersecurity Advisory [PDF] which includes a hunting guide for the tactics, techniques, and procedures (TTPs)..
Consistent with all observed nation-state actor activity, Microsoft has been directly communicating with targeted or compromised customers, offering crucial information to secure their environments.
To understand Microsoft’s method of tracking threat actors, you can refer to their newly established threat actor naming taxonomy.