{"id":69,"date":"2023-05-29T20:13:29","date_gmt":"2023-05-29T10:13:29","guid":{"rendered":"https:\/\/thatcybergirl.com\/?p=69"},"modified":"2023-05-30T21:44:52","modified_gmt":"2023-05-30T11:44:52","slug":"volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques","status":"publish","type":"post","link":"https:\/\/thatcybergirl.com\/index.php\/2023\/05\/29\/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques\/","title":{"rendered":"Volt Typhoon targets US critical infrastructure with living-off-the-land techniques"},"content":{"rendered":"\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"474\" height=\"355\" data-id=\"70\" src=\"https:\/\/thatcybergirl.com\/wp-content\/uploads\/2023\/05\/Chinese-Volt-Typhoon.jpeg\" alt=\"\" class=\"wp-image-70\" srcset=\"https:\/\/thatcybergirl.com\/wp-content\/uploads\/2023\/05\/Chinese-Volt-Typhoon.jpeg 474w, https:\/\/thatcybergirl.com\/wp-content\/uploads\/2023\/05\/Chinese-Volt-Typhoon-300x225.jpeg 300w\" sizes=\"auto, (max-width: 474px) 100vw, 474px\" \/><\/figure>\n<\/figure>\n\n\n\n<p>Microsoft has detected stealthly and targeted malicious attacks that are primarily focused on the access of credentials and exploration of network systems following a successful compromise. These operations target essential infrastructure organisations in the United States and are orchestrated by Volt Typhoon, a China-based state sponsored actor , who engages in information gathering and espionage. Microsoft believes that the current Volt Typhoon campaign is developing capabilities with the potential to disrupt critical communication infrastructures between the United States and Asia during a potential future crises.<\/p>\n\n\n\n<p>Active since mid-2021, Volt Typhoon has targeted key infrastructure organisations in Guam and other parts of the United States. The campaign has impacted organisations across various sectors, including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. The observed behaviour indicates the threat actor&#8217;s intention to carry out espionage and maintain undetected access for an extended period. While Microsoft&#8217;s visibility into these threats has allowed for the deployment of detection methods for their customers, the lack of insight into other parts of the actor\u2019s activities has pushed for broader industry awareness, investigations, and protective measures across the security ecosystem.<\/p>\n\n\n\n<p>To meet Volt Typhoon&#8217;s goals, the threat actor heavily focuses on maintaining stealth in this campaign, predominantly using <a href=\"https:\/\/thatcybergirl.com\/index.php\/2023\/05\/29\/understanding-living-off-the-land-techniques-in-cybersecurity\/\" target=\"_blank\" rel=\"noopener\" title=\"Understanding \u201cLiving Off the Land\u201d Techniques in Cybersecurity\">living-off-the-land<\/a> techniques and hands-on-keyboard activity. They utilise the command line to collect data, including local and network system credentials, stage the data for exfiltration by storing it in an archive file, and use the stolen valid credentials to ensure persistence. Furthermore, Volt Typhoon attempts to mimic regular network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They&#8217;ve been observed using customised versions of open-source tools to create a command and control (C2) channel via a proxy to further remain undetected.<\/p>\n\n\n\n<p>As highlighted in information released by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/05\/24\/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques\/\" target=\"_blank\" rel=\"noopener\" title=\"Microsoft\">Microsoft<\/a>, this current Volt Typhoon campaign is predominately against critical infrastructure providers, using methods to gain and maintain unauthorised access to targeted networks. Given the reliance of this activity on valid accounts and living-off-the-land binaries (LOLBins), the detection and mitigation of this attack could prove difficult. Hence, it is crucial that compromised accounts are closed or altered. <\/p>\n\n\n\n<p>The National Security Agency (NSA) has also issued a <a href=\"https:\/\/media.defense.gov\/2023\/May\/24\/2003229517\/-1\/-1\/0\/CSA_Living_off_the_Land.PDF\" target=\"_blank\" rel=\"noopener\" title=\"NSA Cybersecurity Advisory [PDF]\">Cybersecurity Advisory [PDF]<\/a> which includes a hunting guide for the tactics, techniques, and procedures (TTPs)..<\/p>\n\n\n\n<p>Consistent with all observed nation-state actor activity, Microsoft has been directly communicating with targeted or compromised customers, offering crucial information to secure their environments. <\/p>\n\n\n\n<p>To understand Microsoft&#8217;s method of tracking threat actors, you can refer to their newly established <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\" target=\"_blank\" rel=\"noopener\" title=\"Microsoft shifts to a new threat actor naming taxonomy\">threat actor naming taxonomy<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has detected stealthly and targeted malicious attacks that are primarily focused on the access of credentials and exploration of network systems following a successful compromise. These operations target essential infrastructure organisations in the United States and are orchestrated by Volt Typhoon, a China-based state sponsored actor , who engages in information gathering and espionage. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[23,25,26,27],"tags":[],"class_list":["post-69","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-hacking-groups","category-state-sponsored","category-volt-typhoon"],"_links":{"self":[{"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/posts\/69","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/comments?post=69"}],"version-history":[{"count":4,"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/posts\/69\/revisions"}],"predecessor-version":[{"id":76,"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/posts\/69\/revisions\/76"}],"wp:attachment":[{"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/media?parent=69"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/categories?post=69"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thatcybergirl.com\/index.php\/wp-json\/wp\/v2\/tags?post=69"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}