According to Microsoft and the “Five Eyes” governments, an invisible Chinese hackers infiltrated and remained undetected in critical infrastructure organizations in the United States and Guam for years.
Under the codename Volt Typhoon, the tech giant’s threat intelligence team is monitoring suspicious behavior, such as post-compromise credential access and network system discovery.
The state-sponsored actor’s cluster has been active since June 2021, and it has been using tools that are pre-installed or built into compromised PCs to hide its intrusion footprint. The actor’s goal is espionage and information gathering.
The communication, manufacturing, utilities, transportation, construction, maritime, government, information technology, and educational sectors are among the most common ones to be attacked.
The business also believed the effort was developing capabilities to damage crucial communications infrastructure between the US and Asia in future crises.
The attacks are distinguished by their “strong emphasis” on evading detection by using only low-tech methods like living off the land (LotL) to exfiltrate data from local web browser programs and use stolen credentials to get backdoor access.
The major objective is to avoid detection by blending in with typical Windows systems and network operations, suggesting the threat actor is purposefully staying under the radar in order to obtain private data.
Microsoft added that Volt Typhoon tries to blend in with normal network activity by using infected routers, firewalls, and VPN devices found in small and home offices.
The attackers also use compromised servers from other businesses as part of their C2 proxy network and modified versions of open-source tools to build a command-and-control (C2) channel, both of which are rare techniques.
The New York Times stated that the hostile group had successfully established a malicious web shell by penetrating telecommunications networks on the strategic island of Guam in the Pacific.
Initially, Volt Typhoon infiltrates networks by exploiting a zero-day hole in internet-facing Fortinet FortiGuard devices; however, the malware has also been seen weaponizing vulnerabilities in Zoho ManageEngine servers. This is exploited to obtain other users’ credentials and compromise more systems on the network.
The Windows team also said it alerted affected users personally and gave them the resources they needed to protect their systems. However, it did issue a warning that it may be “particularly challenging” to reduce such dangers when threat actors employ legitimate accounts and LOLBins in their attacks.
Secureworks, which has been keeping tabs on the threat group known as Bronze Silhouette, has reported that the group “demonstrated careful consideration for operational security and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity.”
BackdoorDiplomacy (also known as APT15, Playful Taurus, or Vixen Panda) is suspected of being behind the cyberattack, as it has been known to target government and diplomatic entities in North America, South America, Africa, and the Middle East at least since 2010.
Conclusion
Microsoft and Western spy agencies believe Chinese hackers attacked crucial equipment on American military bases in Guam using “invincible” malware. It’s one of the biggest US cyber espionage programs, according to experts. Guam’s ports and air bases are vital to any Western reaction to an Asian crisis as a US military foothold. Beijing labeled the Microsoft study “highly unprofessional” and “disinformation”. On Wednesday, Microsoft and the Five Eyes alliance—the US, Australia, Britain, New Zealand, and Canada spy agencies—published malware details. The Five Eyes intelligence-sharing arrangement is decades old. Partners intend to educate critical infrastructure providers and corporate users on malware detection and removal.
It targeted communications, industry, utilities, and transportation. To keep important systems accessible as long as possible. The software business said China’s state-sponsored cyber gang “Volt Typhoon” used “living-off-the-land techniques” to attack. Hackers enter local networks undetected to tweak their tools and issue commands. At a Chinese foreign ministry press briefing, spokesperson Mao Ning dubbed the US the “hacker empire” and dismissed the report as “serious lack of evidence chain”. Experts think the Five Eyes statement is important because the US and China often accuse each other of espionage.