Chinese Hackers Attacking U.S. Critical Infrastructure Since 2023


VOLTZITE, a designated threat group, has been discovered by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which overlaps with the Volt Typhoon threat group.

This particular threat actor has been targeting since early 2023 and specifically targets emergency management services, telecommunications, satellite services, and the defense industrial base.

Moreover, this particular threat group also uses Living off the Land (LOTL) techniques and native tools available on compromised assets. Additionally, VOLTZITE also performs slow and steady reconnaissance to evade detections for a long time.

Document

Live Account Takeover Attack Simulation

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks

.


Technical Analysis

According to the reports shared with Cyber Security News, VOLTZITE deploys various web shells and FRP for Command and control communications.

The threat actor utilizes stolen credentials and compromises SOHO (Small Office and Home Office) networking equipment to facilitate lateral movement.

Their activity has been observed since early 2023, but there are speculations that the threat group existed since 2021. As of Early 2023, the threat group was discovered to be related to an incident that involved the US Territory of Guam compromise. 

Other notable activities were in June 2023 (United States emergency management organization) and January 2024 (US telecommunication provider’s external network gateways and a large US city’s emergency services GIS network).

In December 2023, the VOLTZITE was discovered to be involved in exploiting ICS VPN zero-day vulnerabilities alongside the other threat group UTA0178. Some of the applications the threat group exploited are as follows

  • Fortinet Fortiguard
  • PRTG Network Monitor Appliances
  • ManageEngine ADSelfService Plus
  • FatePipe WARP
  • Ivanti Connect Secure VPN
  • Cisco ASA

As for the LOTL techniques, the threat group uses several Windows tools which are

  • Certutil
  • dnscmd
  • Ldifde
  • Makecab
  • net user/group/use
  • netsh
  • nltest
  • ntdsutil
  • PowerShell
  • reg query/save
  • systeminfo
  • tasklist
  • wevtutil
  • wmic
  • xcopy

Dragos has published a complete report providing detailed information about this threat group, exfiltration methods, Lateral movement, and others.



Source link