Chinese Hackers Compromised US Infrastructure for Data Collection and Disruption

The Chinese espionage group known as 'Volt Typhoon' has been actively targeting critical infrastructure organizations in the United States and Guam since 2021. In addition to intelligence collection, the group shows interest in weaponizing its capabilities within compromised organizations. "Microsoft assesses with moderate confidence this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," said the Microsoft Threat Intelligence team's advisory. A wide range of industries are in the scope of their campaign including verticals in communications, construction, government, education, manufacturing, maritime, technology, transportation, and utilities. US agencies released their own advisory alongside Microsoft to share tactics, techniques, and procedures (TTPs) observed from Volt Typhoon highlighting their stealth capabilities notably leveraging living-off-the-land binaries (LOLBins) "almost exclusively" to evade system defense monitoring.

Initial access has been obtained through exploiting public-facing Fortinet FortiGuard devices, although specific exploits to the devices were not mentioned. Volt Typhoon operators add to their acumen for employing stealth by proxy communication through network devices. According to Microsoft, "Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet." Not only is stealth afforded to Volt Typhoon, but the management cost of attaining network infrastructure is also spared.

During the post-exploitation stage, operators use LOLBins such as CMD, PowerShell, and WMIC to execute commands on-keyboard. Malware deployment is a rarity during their intrusion, opting for native processes, although Volt Typhoon does deploy modified versions of open-source tools like Impacket and Fast Reverse Proxy (FRP). For their command and control (C2), the native Windows command "netsh portproxy" was also used. The discovery stage of the intrusions was all done with command-line utilities such as arp, dnscmd, ipconfig, net, netsh, reg, wmic, tasklist, systeminfo, among others. Valid accounts are leveraged by Volt Typhoon for persistence, leveraging compromised credentials or brute-forcing accounts. For credential access, operators dump the LSASS process with comsvcs through an encoded PowerShell command and gather credentials from registry hives. They also have a penchant for utilizing the Ntsdutil.exe tool specifically using it to "create installation media from domain controllers, either remotely or locally." Data of interest were found to be staged in a password-protected zip file. Volt Typhoon displayed strong technical acumen to evade security monitoring, making detection challenging. Organizations are urged to closely monitor for suspicious logins from unknown locations, off-hour logins, and signs of potential brute force. The advisories shared by Microsoft and US agencies are offered to aid organizations in defending their own networks.