Chinese State Hacker ‘Volt Typhoon’ Targets Guam and US
Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Targets Are Critical Infrastructure – Likely for Cyberespionage, Long-Term Access David Perera (@daveperera) • May 24, 2023 A B-52 Stratofortress at Andersen Air Force Base, Guam, in an undated file photo (Image: U.S. Air Force)
A Chinese state hacker has targeted critical infrastructure in Guam and the United States with the likely intent of cyberespionage and maintaining long-term access.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Microsoft dubbed the threat actor “Volt Typhoon” on Wednesday in a coordinated disclosure with the U.S. government and close allies that make up the Five Eyes intelligence-sharing alliance.
Microsoft says Volt Typhoon has been active since mid-2021. Among its targeted critical infrastructure sectors are communications, information technology and government agencies. Guam, just hours away from Taiwan via airplane, is the site of two major American military bases, including Andersen Air Force Base.
Threat intelligence firm Mandiant called Volt Typhoon’s actions “aggressive and potentially dangerous” but cautioned that the intrusions “don’t necessarily indicate attacks are looming.”
Relations between Beijing and Washington have deteriorated amid ramped-up military demonstrations by mainland China against Taiwan, which it says should fall under its sovereignty. One U.S. Air Force general reportedly told subordinates in January he anticipates the outbreak of war with China over the next two years, although other international affairs experts say Chinese President Xi Jinping is aware of the potential economic and reputational costs of a land invasion, particularly after observing Russia’s inability to subdue Ukraine.
Volt Typhoon gains initial access through internet-facing Fortinet FortiGuard devices (see: Chinese Hackers Targeting Security and Network Appliances). Microsoft describes it as extracting credentials to an Active Directory account used by the device and then attempting to authenticate to other devices on the network with those credentials.
Once inside a network, Volt Typhoon proxies internet traffic through compromised small-office or home-office routers in a bid to make it harder to detect. The company says router owners should ensure the management interfaces are not exposed to the public internet.
Microsoft and the United States plus its allies say the Chinese threat actor makes particular use of “living off the land” binaries present on Windows operating system computers. The use of legitimate Windows utilities such as PowerShell can make detecting malicious activity harder than otherwise. The Five Eyes advisory provides examples of Volt Typhoon commands along with detection signatures to aid network defenders in hunting for this activity.