China-Sponsored Actor Targeting Key US Infrastructure, 'Living Off the Land' to Evade Detection
Government agencies and tech giant Microsoft have warned against a Chinese hacker targeting American infrastructure.
According to an alert from Microsoft, the company and federal agencies have found “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.”
The Microsoft advisory said “Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering,” is behind the attacks.
The alert said the hacker has a long-range, deadly purpose.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” Microsoft wrote.
According to an alert from the Department of Defense, Volt Typhoon does his work by hijacking other systems.
“One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives,” the alert said.
“This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” the alert said.
The alert said it was issued by American and foreign agencies because “this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.”
The advisory warned that small home and office networks are among the most vulnerable.
The advisory said anyone responsible for the security of one of these networks must ensure that “network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible.”
Microsoft said Volt Typhoon has been seeking to cause disruption since 2021 and has targeted “critical infrastructure organizations” in American locations, including Guam.
Rob Joyce, the cybersecurity director for the National Security Agency, said Volt Typhoon tunnels into a system to use it for his own ends.
“Cyber actors find it easier and more effective to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” he said in a release on the NSA website.
“For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe,” said Jen Easterly, Cybersecurity and Infrastructure Security Agency director.
“Today’s advisory, put out in conjunction with our US and international partners, reflects how China is using highly sophisticated means to target our nation’s critical infrastructure. This joint advisory will give network defenders more insights into how to detect and mitigate this malicious activity,” she said.
The advisory was jointly issued by the NSA, CISA, FBI, Australian Cyber Security Centre, Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom National Cyber Security Centre.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.
