China-based covert group managed to establish a firm foothold into critical infrastructure organizations in the US and Guam without being detected, Microsoft And the “Five Eyes” country. he said on Wednesday.
The tech giant’s threat intelligence team is tracking activity, which includes post-compromise credential access and discovery of network systems, under the name Typhoon Volt.
State sponsored actors are directed towards espionage and information gathering, with the cluster active since June 2021 and obfuscating traces of its intrusion by leveraging tools already installed or built into infected machines.
Several leading sectors that were targeted included communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education.
The company further assessed with moderate confidence that the campaign “pursues the development of capabilities that could disrupt critical communications infrastructure between the United States and the Asian region during a future crisis.”
A defining characteristics One such attack was a “strong emphasis” on staying under the radar by exclusively relying on living-off-the-land (LotL) techniques to extract data from local web browser applications and leveraging stolen credentials for backdoor access.
Its primary goal is to evade detection by aligning with regular Windows system and network activity, which indicates that the threat actor is deliberately keeping a low profile to gain access to sensitive information.
“In addition, the Volt Typhoon attempts to blend into normal network activity by routing traffic through compromised small office and home network (SOHO) equipment, including routers, firewalls, and VPN hardware,” Microsoft said.
Another unusual craft is using a custom version of an open source tool to create a command-and-control (C2) channel through proxies as well as servers compromised by other organizations on C2’s proxy network to hide the source of the attack.
In one incident reported Continued by the New York Times, collective enemies breached telecommunications networks on the island of Guam, a sensitive US military outpost in the Pacific Ocean, and installed a malicious web shell.
The initial entry vector involved the exploitation of internet-facing Fortinet FortiGuard devices via an unknown zero-day flaw, although the Volt Typhoon has also been observed for weaponization weaknesses in Zoho ManageEngine servers. That access is then misused to steal credentials and compromise other devices on the network.
Windows manufacturers also note directly notifying targeted or compromised customers and providing them with the necessary information to secure their environment.
However, it warns that it can be “extremely challenging” to mitigate such risks when threat actors use valid accounts and live-from-ground binaries (LOLBins) to carry out their attacks.
Secureworks, which monitors threat groups with that name Bronze Silhouettesaid it had “demonstrated careful consideration for operational security (…) and reliance on compromised infrastructure to prevent the detection and attribution of intrusive activity.”
Developments also came as Reuters disclosed that Chinese hackers targeted the Kenyan government in a series of far-reaching three-year attacks on key ministries and state agencies in an alleged attempt to gain information about “debt owed to Beijing by the East African nation.”
The digital attacks were allegedly carried out by BackdoorDiplomacy (aka APT15, Playful Taurus, or Vixen Panda), which has been known to target governmental and diplomatic entities across North America, South America, Africa, and the Middle East since at least 2010.