EXECUTIVE SUMMARY:
The state-sponsored cyber criminal group known as ‘Volt Typhoon’ has launched a new series of cyber attacks that have affected communications, manufacturing, utility, transportation, information technology and education sectors within the U.S.
Microsoft identified stealthy and targeted malicious behavior focused on post-compromise credential access and network system discovery. The attacks were launched for espionage and intelligence gathering purposes.
Microsoft assesses with “moderate confidence” that this Volt Typhoon campaign may be used for the purpose of evaluating how to disrupt critical communications infrastructure between the United States and Aisa during future regional crises.
Attack details
In compromising U.S. infrastructure, Volt Typhoon placed emphasis on stealth. The group relied almost exclusively on the living-off-the-land techniques and hands-on keyboard activity.
The group members issue commands via the command line to a) collect data, including credentials from local and network systems b) place data into an archive file to stage it for exfiltration and c) leverage the stolen credentials to establish persistence.
Volt Typhoon attempts to cover its tracks by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls and VPN hardware. The group has also been observed employing custom versions of open-source tools to establish a command and control (C2) channel over proxy, helping it remain under the radar.
Attack mitigation
Because Volt Typhoon relies on living-off-the-land binaries (LOLBins), identifying and stopping attacks could be challenging. Detecting activity that relies on normal sign-in channels and system binaries demands behavioral monitoring. Remediation requires account modifications or credential updates.
Microsoft has directly notified targeted or compromised customers and has provided them with critical information that can assist with securing environments. The tech giant is continuing to track and respond to Volt Typhoon activities, along with those of other state-sponsored threat groups. The goal is to keep systems safe.
Threat prevention
The Volt Typhoon intrusion campaign may be aggressive, but there’s no indication that more destructive or disruptive cyber attacks are in the works. Nonetheless, you’ll want to prevent the threat presented by Volt Typhoon and related threats. Here’s where to start:
- Mitigate the risk of compromised valid accounts. Enforce strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. You can also use passwordless sign-in, password expiration rules, and can deactivate unused accounts to help mitigate risk from this access modality.
- Reduce the attack surface. You may be able to turn on attack surface reduction rules to block or audit select activity associated with this threat.
- Implement the latest software updates. Regularly updating the firmware and software of routers and other devices is crucial for preventing vulnerabilities that attackers may exploit.
- Invest in threat prevention solutions. Ensure that you retain an advanced threat prevention solution and real-time network protection against sophisticated attacks, like those used by advanced persistent threat actors.
For more insights into this story, please see this blog and/or CyberTalk.org’s supplemental coverage. To receive more cutting-edge cyber security news, best practices, analyses and leadership insights, please sign up for the CyberTalk.org newsletter.