Volt Typhoon State-Sponsored Threat Actors Use Stealth Tactics
Microsoft has detected “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States” and Guam. The Chinese state-sponsored hackers, known as Volt Typhoon, have been active since at least mid-2021. Volt Typhoon evades detection through “living off the land” tactics, which make their activity difficult to distinguish from regular Windows activity. Cybersecurity and intelligence agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US) have published a joint cybersecurity advisory that includes a list of artifacts, mitigations, and indicators of compromise.
Great write up. The attack was targeted, but remember that the techniques described are used by other actors as well, and tend to "trickle down" to less sophisticated attacks. Try to read the document considering which part of the attack you would have been able to detect, and how you may be able to fill in some blind spots.
Many lessons to be learned from this one, especially related to the initial attack vector exploiting vulnerabilities in low end firewalls/routers from Fortinet and others. A key takeaway: the attacks harvested credentials from those devices and then took advantage of admin privileges on those accounts to launch hard to detect living off the land attacks. Once again, use of 2FA on all privileged accounts would have thwarted these attacks or made them much easier to detect.
The core mitigations for this type of attack include being able to monitor for unusual activity, not just unexpected commands, but unusual login hours, activation of services or accounts outside of norms. Yeah, modeling normal is challenging. But you can watch for unexpected PowerShell scripts, login behavior, and enabling of proxy-type services which could enable an end-around your access controls. You can also lock down and instrument critical components like your domain controllers, making unexpected activity easy to spot.
This is the hallmark of a classic nation state intelligence operation – gain access, elevate privilege [credentials], burrow deep [living off the land], collect and exfiltrate data. By taking advantage of available IT tools, discovery is made all the more difficult. The primary objective would be intelligence collection, but given the network’s importance, denial of service would be a secondary objective. Every organization should use this discovery to review their patch management process, as well as to review access logs [privilege account]. If organizations are slow to patch, adversary have all the time they need to establish a foothold and elevate privileges.
Read more in
Defense: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (PDF)
Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Wired: China Hacks US Critical Networks in Guam, Raising Cyberwar Fears
NYT: Chinese Malware Hits Systems on Guam. Is Taiwan the Real Target?
Ars Technica: Chinese state hackers infect critical infrastructure throughout the US and Guam
The Register: Five Eyes and Microsoft accuse China of attacking US infrastructure again
Dark Reading: 'Volt Typhoon' China-Backed APT Infiltrates US Critical Infrastructure Orgs
Bleeping Computer: Chinese hackers breach US critical infrastructure in stealthy attacks