Volt Typhoon, a state-sponsored Chinese espionage actor, has managed to infiltrate US infrastructure networks., warned a joint Cybersecurity Advisory (CSA) issued by the United States and its allies. However, China has rejected the claim calling the advisory a “collective disinformation campaign”.
The Chinese espionage group, which has been active since mid-2021, has conducted several cyber attacks targeting critical infrastructure organizations in Guam and networks across the United States, noted a Microsoft security report.
The Volt Typhoon campaign, which is mainly working towards gathering information and espionage, is refining itself to develop capabilities that could gravely impact the communications infrastructure between Asia and the United States.
The joint advisory aims to alert organizations of the activities and techniques used by the state-sponsored Chinese hackers and how the same can be applied worldwide.
The authoring agencies of the joint advisory include the United States NSA, CISA, FBI, Australia’s ACSC, Canada’s CCCS, New Zealand’s NCSC-NZ, and the United Kingdom’s NCSC-UK.
Chinese cyber espionage detected by security researchers
Volt Typhoon, which has been referred as ‘BRONZE SILHOUETTE‘ by Secureworks Counter Threat Unit (CTU) researchers, has been carefully running its operations to blend in with legitimate network activity and stay undetected, noted a report published by the cybersecurity company.
“Think of a spy going undercover, their goal is to blend in and go unnoticed. This is exactly what Bronze Silhouette does by mimicking usual network activity,” said Marc Burnard, Senor Consultant Information Security Research and China thematic lead, Secureworks.
“This suggests a level of operational maturity and adherence to a modus operandi that is engineered to reduce the likelihood of the detection and attribution of the group’s intrusion activity.”
Stating that China is known to be “highly skilled in cyber espionage”, Burnard added.
A series of high-profile U.S Department of Justice indictments of Chinese nationals allegedly involved in cyberespionage activity and the public exposures of this type of activity by security vendors recently were attributed to the Chinese government.
According to Burnard, this might have resulted in increased pressure from leadership within the People’s Republic of China to avoid public scrutiny of its cyberespionage activity.
Activities of Volt Typhoon by the PRC: The LotL way
Employing fileless malware or LOLbins, the Volt Typhoon by the PRC followed the living off the land (LotL) technique and procedure to utilize legitimate software from the system to cause cyber attacks.
This allowed Volt Typhoon to effectively evade detection and blend in among users as legitimate for the most part of the attack.
“The actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim,” the advisory noted.
Tools used by Volt Typhoon
Addressing the technique used by Volt Typhoon, the advisory said, “The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443.” The group used various files names including isco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.
The commands used for malicious activities did not rely on administrative login credentials to find results.
They used a Windows Management Instrumentation Command Line query and gathered storage data on the local host, drive letter, file system, and more.
The command used by the threat actors — c md.exe /C “wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename”
Zero-Trust model advised
To maintain caution, the advisory about the Volt Typhoon group by the PRC mentioned that small and home office users must pay attention that the network management interfaces being exposed to the internet.
This is to prevent unauthorized access to avoid them being re-purposed as redirectories. Going for the zero-trust principle was also suggested for access management.
Elaborating on the state of compromise of the domain, the advisory wrote, “If an actor can exfiltrate the ntds.dit and SYSTEM registry hive, the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorized systems to the domain.”
Users were urged to limit port proxy usage with a time limit so Volt Typhoon and similar groups cannot create backdoors, and bypass the firewall policies.
Volt Typhoon’s whereabouts
Active since mid 2021, Volt Typhoon is based in China and conducts espionage against the targets. “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” a Microsoft report read.
The targets of the group include however are not limited to critical infrastructure in Guam and other US nations. They have also attacked sectors including government, communications, utility, manufacturing, construction, maritime, and education among others.
Summing up the attack vector of the Volt Typhoon, the Microsoft report stated that the group gains initial access to organizations via internet-facing Fortinet FortiGuard devices. They extract credentials to misuse them further and rarely use malware in their post-compromise activities.
They were often found using the command-line tool Ntdsutil.exe to create installation media from domain controllers to create new domain controllers.
China Denies Involvement, Rejects Spying Accusations
Reacting to the cybersecurity advisory issued by the US and its allies, the Chinese government has rejected the spying accusations, stating that the warning was a “collective disinformation campaign” against the country, The Reuters reported.
Refuting the claims, Mao Ning, the Chinese foreign ministry spokesperson said that the United States was the “empire of hacking” and the intention of the report was to promote the ‘the Five Eyes’ — a global surveillance arrangement between the United States, the United Kingdom, Canada, Australia and New Zealand, the report added.
Response from the team of United States Cyber Defense Agencies
Addressing Chinese threat actors targeting the United States, Jen Easterly, Director of CISA said, “For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe.. Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity.”
“We encourage all organizations to review the advisory, take action to mitigate risk, and report any evidence of anomalous activity. We must work together to ensure the security and resilience of our critical infrastructure,” Jen concluded.
Another CISA advisory about Chinese infiltration and attacks aimed at the United States and other nations stated that China currently is the most active cyber espionage threat. “China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems,” the advisory read.
Mitigation help offered by Microsoft
Microsoft urged users to immediately change their password and other login credentials to prevent further misuse of their accounts and access. Opting for multi-factor authentication is recommended to defend against Volt Typhoon attacks.
Turning on cloud-delivered protection in Microsoft Defender Antivirus can immensely improve security. Also, running endpoint detection and response (EDR) in block mode was also encouraged so Microsoft Defender can block malicious artifacts even in the inactivity of other anti-virus tools in the system.