Global security agencies flag malicious activity of PRC-backed Volt Typhoon group targeting US critical infrastructures

U.S. and international cybersecurity partners have published a joint Cybersecurity Advisory (CSA) highlighting malicious activity executed by a People’s Republic of China (PRC) state-sponsored cyber hacker group known as Volt Typhoon. The agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and believe the hacker could apply the same techniques against these and other sectors worldwide.

“One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives,” according to the advisory issued Wednesday. “This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.”

The advisory covering Volt Typhoon hacker group has been jointly published by the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK).

Apart from the joint CSA, Microsoft disclosed Wednesday stealthily and targeted malicious activity targeted at U.S. critical infrastructure organizations, largely focused on post-compromise credential access and network system discovery. Deploying living-off-the-land techniques and hands-on-keyboard activity, the Volt Typhoon attackers have targeted critical infrastructure sectors, including communications, manufacturing, utility, transportation, maritime, and government.

The advisory provides organizations with technical information that can be used by network defenders to hunt for malicious cyber activity on their network, including a summary of relevant indicators of compromise (IOC) for quick reference against Volt Typhoon hackers. Suggested mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA to help organizations prioritize their investments to reduce risk. 

Additionally, CISA and its partners will continue to provide targeted guidance and capabilities to help organizations address the risk of persistent access by adversaries using living-off-the-land techniques, including through its Remote Monitoring and Management planning effort currently being undertaken by the Joint Cyber Defense Collaborative (JCDC).

The agencies identified that some of the built-in tools that the Volt Typhoon group uses include ‘wmic,’ ‘ntdsutil,’ ‘netsh,’ and ‘PowerShell.’ “The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise,” they added.

The advisory outlined that the Volt Typhoon group has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim. “Owners of SOHO devices should ensure that network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operators should ensure they follow zero trust principles and maintain the highest level of authentication and access controls possible,” it added.

The agencies also revealed that the Volt Typhoon group has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to cisco_up[dot]exe, cl64[dot]exe, vm3dservice[dot]exe,watchdogd[dot]exe, Win[dot]exe, WmiPreSV[dot]exe, and WmiPrvSE[dot]exe. 

“For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe,” Jen Easterly, CISA director, said in a media statement. “Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity.”

“Cyber actors find it easier and more effective to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” according to Rob Joyce, NSA cybersecurity director. “That makes it imperative for us to work together to find and remove the actor from our critical networks.”

“The FBI continues to warn against China engaging in malicious activity with the intent to target critical infrastructure organizations and use identified techniques to mask their detection,” Bryan Vorndran, the FBI’s cyber division assistant director, said. “We, along with our federal and international partners, will not allow the PRC to continue to use these unacceptable tactics. The FBI strives to share information with our private sector partners and the public to ensure they can better protect themselves from this targeted malicious activity.”

“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,” Paul Chichester, NCSC director of operations, said. “We strongly encourage UK essential service providers to follow our guidance to help detect this malicious activity and prevent persistent compromise.”

“The Canadian Centre for Cyber Security (part of the Communications Security Establishment) joins its international partners in sharing this newly identified threat and accompanying mitigation measures with critical infrastructure sectors, according to Sami Khoury, head of the Canadian Centre for Cyber Security. “The interconnected nature of our infrastructures and economies highlights the importance of working together with our allies to identify and share real-time threat information.”

Amidst these disclosures, the New York Times reported Wednesday that around the time that the FBI was examining the equipment recovered from the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.

“The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan,” the newspaper added. “The operation was conducted with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the intrusion harder to track.”

To defend against attacks by Volt Typhoon hackers, the agencies call upon organizations to harden domain controllers and monitor event logs, limit port proxy usage within environments, investigate unusual IP addresses and ports, review perimeter firewall configurations for unauthorized changes, look for abnormal account activity, and forward log files to a hardened centralized logging server, preferably on a segmented network. Additionally, they should set the audit policy for Windows security logs to include ‘audit process creation’ and ‘include command line in process creation events,’ in addition to accessing the logs. 

Since the Volt Typhoon group takes measures to hide their tracks, such as clearing logs, defenders should forward log files to a hardened centralized logging server, preferably on a segmented network to ensure log integrity and availability. Organizations should also enable logging on their edge devices, including system logs, to be able to identify potential exploitation and lateral movement. They should also allow network-level logging, such as ‘sysmon,’ ‘webserver,’ ‘middleware,’ and network device logs.

Earlier this week, the CISA, FBI, NSA, and MS-ISAC released a comprehensive guide that includes resources on ransomware and data extortion prevention best practices and a response checklist. It also provides tips on threat hunting, preventing common initial infection vectors, and how to address cloud backups and zero trust architecture. The document comes as an update to the 2020 Ransomware Guide, released by CISA and the MS-ISAC.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.