San Francisco: Microsoft has revealed that a state-sponsored hacker group called Volt Typhoon based in China, which typically focuses on espionage and information gathering, is targeting critical US infrastructure.
The tech giant uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organisations in the US.
“The attack was carried out by Volt Typhoon, a state-sponsored actor based in China. This campaign is pursuing the development of capabilities that could disrupt critical communications infrastructure between the US and Asia region during future crises,” the company said in a blog post late on Wednesday.
Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organisations in Guam and elsewhere in the country.
The affected organisations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
“Observed behaviour suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” said Microsoft.
The company said it has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.
Volt Typhoon achieves initial access to targeted organisations through internet-facing “Fortinet FortiGuard devices”.
“The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” the team explained.
Once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line.
Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times, said Microsoft.
Volt Typhoon rarely uses malware in their post-compromise activity.
“Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data. We describe their activities in the following sections, including the most impactful actions that relate to credential access,” Microsoft explained.