Organizations globally have been urged to remain vigilant amid an ongoing hacking campaign that leverages office networking devices to target critical national infrastructure (CNI) assets.
Research from Microsoft this week revealed that attacks carried out by Volt Typhoon, a Chinese state-sponsored group that commonly focuses on espionage and intelligence gathering, are specifically targeting CNI organizations.
Microsoft said Volt Typhoon relies “almost exclusively” on living-off-the-land (LOTL) techniques and hands-on-keyboard activity.
LOTL attacks typically see attackers compromise a victim’s system and use the systems and tools that are already installed to achieve their goals, rather than executing their own code or malware payloads, for example.
“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign,” said Microsoft, which assisted the Five Eyes investigation.
“They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”
As part of the campaign, Volt Typhoon has been observed blending into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment. This includes routers, firewalls, and VPN hardware.
Microsoft confirmed that a number of devices, including those manufactured by ASUS, Cisco, D-Link, Netgear, and Zyxel are at risk and urged owners of these devices to ensure interfaces are not exposed to the public internet to mitigate threats.
The Total Economic Impact™ of Mimecast
Cost savings and business benefits enabled by using Mimecast with Microsoft 365
“Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface,” the firm said in a blog post.
“By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.”
Marc Burnard, senior consultant for information security research at Secureworks, said that targeting network devices is a common tactic employed by threat actors such as Volt Typhoon, which is also tracked as ‘Bronze Silhouette’.
This enables the group to ‘blend in’ to network traffic and operate behind the scenes with impunity, thereby gaining a stronger foothold and compromising additional assets.
“From our first-hand observations, we determine the group to have a consistent focus on operational security including a minimal intrusion footprint, defense evasion techniques, and use of compromised infrastructure,” he said.
“Think of a spy going undercover, their goal is to blend in and go unnoticed. This is exactly what Bronze Silhouette does by mimicking usual network activity.”
Burnard added that these tactics highlight the group’s “operational maturity and adherence to a modus operandi” that focuses specifically on reducing the likelihood of detection.
Five Eyes response to Chinese hacking threat
The campaign by Volt Typhoon has prompted Five Eyes security agencies to issue an urgent warning to critical infrastructure organizations.
The UK’s National Cyber Security Centre (NCSC) issued a joint statement with the equivalent authorities from the US, Canada, Australia, and New Zealand calling for heightened vigilance amid the ongoing attacks.
“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,” said Paul Chichester, director of operations at the NCSC.
“We strongly encourage UK essential service providers to follow our guidance to help detect this malicious activity and prevent persistent compromise.”
According to Microsoft, the purpose of the campaign by Volt Typhoon appears to have broader geopolitical goals amid rising tensions between the US and China.
The group has been active since mid-2021, the firm revealed, and has already targeted critical infrastructure organizations in the United States and Guam, a key site for US military activities in the Pacific.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
