Microsoft has discovered a clandestine, highly targeted cyberattack aimed at key infrastructure organizations within the United States. This assault is orchestrated by Volt Typhoon, a Chinese state-sponsored entity primarily involved in espionage and intelligence collection. With moderate certainty, Microsoft believes that this campaign by Volt Typhoon is designed to hamper critical communication infrastructure between the US and Asia in potential future crises.
Volt Typhoon has been operational since the middle of 2021, launching attacks on key infrastructure organizations within Guam and other parts of the US. The campaign has impacted a range of sectors including communication, manufacturing, utilities, transportation, construction, maritime, government, IT, and education. The observed actions suggest a primary goal of the threat actor is to carry out espionage and maintain undetected access for an extended period.
To fulfill their objectives, the attacker places a strong focus on stealth. They rely exclusively on 'living-off-the-land' techniques and direct keyboard interaction. Commands are issued via the command line to gather data, including credentials from local and network systems, bundle this data into an archive file for later extraction, and use stolen legitimate credentials for persistence. Furthermore, Volt Typhoon attempts to camouflage their activities by channeling traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed employing customized versions of open-source tools to create a command and control (C2) channel over a proxy, further aiding their stealth.
Due to the reliance on legitimate accounts and 'living-off-the-land' binaries (LOLBins), detection and mitigation of this attack could be challenging. Breached accounts must be shut down or altered.
Additionally, by passively analyzing network traffic, Léargas can identify and alert on various indicators of compromise associated with C2 channels. Léargas's robust protocol analysis capabilities enable it to detect anomalies in network communication, such as unusual traffic patterns, non-standard ports, or suspicious command syntax. It can also identify the presence of known C2 signatures or malicious domains by leveraging its extensive threat intelligence capabilities. With its ability to extract and analyze metadata from network packets, Léargas offers security professionals valuable insights into C2 communication, helping them to proactively detect and respond to threats, enhancing the overall security posture of an organization.
The National Security Agency (NSA) has also released a Cybersecurity Advisory [PDF] that includes a hunting guide for the tactics, techniques, and procedures (TTPs).
Recovering from a nation-state breach is an arduous and complex process that requires a multifaceted approach. It involves a combination of technical remediation, comprehensive threat intelligence gathering, and strategic response planning. Organizations must promptly isolate and contain the breach, while diligently assessing the extent of the damage. Thorough forensic analysis is essential for understanding the attacker's methods and ensuring all compromised systems are identified and secured. Collaboration with government agencies, cybersecurity experts, and incident response teams is crucial for obtaining valuable insights and guidance.
Moreover, organizations need to implement robust security measures, including network segmentation, enhanced monitoring, and user awareness training, to fortify their defenses against future attacks. Recovery from a nation-state breach demands resilience, agility, and a commitment to continuously evolving security practices to safeguard against sophisticated threats in an ever-changing landscape.
As a first step in that action, Critical Path Security has provided the threat intelligence feeds in the link below.