Details of hacking campaign stelathy techniques targeting military and critical infrastructure
Take action: This is an example of a 'long game' attack that demand our continuous discipline. The threat actor is not chasing quick profit, they are exploiting vulnerabilities to embed themselves in the system and lay dormant until some future event. The only way to reduce the risk of this threat is disciplined implementation of strong authentication, diligent patching and maintenance and system hardening. All the things that are difficult, thankless and a major hassle.
Learn More
Microsoft has reported detecting a targeted and stealthy malicious activity conducted by an organized hacker group (threat actor) known as Volt Typhoon, based in China. In a rare move, U.S. Navy Secretary Carlos Del Toro confirmed that the military is also targeted and that the Navy was impacted by the intrusions. This group primarily focuses on espionage and information gathering. It is suspected that the threat actor is state-sponsored.
The threat actor demonstrates an intention to maintain prolonged undetected access to the compromised networks. It's useful to highlight this activity to raise awareness and encourage further investigations and protections in the security ecosystem.
The Volt Typhoon campaign has been active since mid-2021 and has targeted critical infrastructure organizations. The behaviour indicates that it aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region.
The affected critical industries include:
- communications
- manufacturing
- utility
- transportation
- construction
- maritime
- government
- information technology
- education
Techniques and behaviour.
In their campaign, the threat actor emphasizes stealth and heavily relies on living-off-the-land techniques and direct human interaction to extend their presence in the system. The techniques explained below are not new, but used in combination achieve a very stealthy attack - almost like from a spy movie.
- enters the organization through vulnerable edge devices like firewalls, modems or email servers, as to avoid humans alerting to phishing.
- utilizes fileless malware that don't touch the hard drive, thus avoiding triggering the antivirus
- utilizes standard operating system utilities or well known (mildly modified) open source tools to establish connection to their command and control servers, since traffic from well known tools is usually permitted without much scrutiny.
- does not create new credentials, instead uses stolen credentials of vaild users, thus avoiding user management review alarms
- blends into normal network activity by routing traffic through the regular small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.
- commands for data gathering or further spread in the network are issued to the malware by a human operator, thus avoiding hardcoded commands and repeatable unexpected actions which can be detected through behaviour monitoring of processes
- valuable data that's collected is stored on hard drive in an innocuous file buried deep in the filesystem until a command for exfiltration is given, to avoid detections on high volume outbound network traffic or data leakage prevention alarms.
Detecting and mitigating this attack can be challenging due to the use of valid accounts and living-off-the-land techniques. The National Security Agency (NSA) has also published a Cybersecurity Advisory that includes a hunting guide for the tactics, techniques, and procedures (TTPs).
Microsoft has directly notified suspected targeted or compromised customers, providing them with crucial information to secure their environments. The company continues to monitor Volt Typhoon's activity and track any changes in their techniques and tools. Mitigation efforts focus on enforcing strong multi-factor authentication, reducing the attack surface, hardening the LSASS process, enabling cloud-delivered protection, running endpoint detection and response (EDR) in block mode.
