China-backed Volt Typhoon group strikes US critical infrastructure using ‘living-off-the-land’ techniques

Microsoft has discovered stealthy and targeted malicious activity targeted at U.S. critical infrastructure organizations, largely focused on post-compromise credential access and network system discovery. Using ‘living-off-the-land’ techniques and hands-on-keyboard activity, the attack is carried out by Volt Typhoon, a state-sponsored hacker group based in China that typically focuses on espionage and information gathering. These attacks have targeted critical infrastructure sectors including communications, manufacturing, utility, transportation, maritime, and government.

“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the Microsoft Threat Intelligence team, wrote in a Wednesday blog post. “Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States.” 

The Microsoft disclosure prompted U.S. and international cybersecurity authorities to issue a joint Cybersecurity Advisory (CSA) highlighting the recently discovered cluster of activity of interest associated with Volt Typhoon. a People’s Republic of China (PRC) state-sponsored cyber actor. The document provides an overview of hunting guidance and associated best practices to detect adversarial activity across critical environments.

Microsoft also identified that in this campaign, targeted organizations cover the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.

To achieve their objective, the hackers put ’strong emphasis’ on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity, Microsoft identified. They issue commands using the command line to collect data, including credentials from local and network systems put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence. 

Additionally, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

“Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices. Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices,” the post disclosed. “The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.”

Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers), Microsoft identified. “Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet.” 

Furthermore, Microsoft added that owners of network edge devices should ensure that management interfaces are not exposed to the public internet to reduce their attack surface. “By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.”

Microsoft also said that once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line. “Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times.” 

It has also been observed that Volt Typhoon rarely uses malware in their post-compromise activity. “Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data,” the post added. 

Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials. In addition to OS and domain credentials, Volt Typhoon dumps information from local web browser applications. Microsoft has also observed the hackers staging collected data in password-protected archives.

“Volt Typhoon also frequently attempts to use the command-line tool Ntdsutil[dot]exe to create installation media from domain controllers, either remotely or locally,” the post revealed. “These media are intended to be used in the installation of new domain controllers. The files in the installation media contain usernames and password hashes that the threat actors can crack offline, giving them valid domain account credentials that they could use to regain access to a compromised organization if they lose access.”

Microsoft has observed Volt Typhoon discovering system information, including file system types; drive names, size, and free space; running processes; and open networks, the post said. “They also attempt to discover other systems on the compromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and the ping command. In a small number of cases, the threat actors run system checks to determine if they are operating within a virtualized environment.”

The post identified that in most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. “However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access. They accomplish this with the built-in ‘netsh portproxy’ command. In rare cases, they also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy,” it added.

Microsoft further disclosed that compromised organizations will observe C2 access in the form of successful sign-ins from unusual IP addresses. “The same user account used for these sign-ins may be linked to command-line activity conducting further credential access. Microsoft will continue to monitor Volt Typhoon and track changes in their activity and tooling,” it added.

Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging, Microsoft said. “Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts.”

Affected critical infrastructure organizations have been called upon to close or change credentials for all compromised accounts. “Depending on the level of collection activity, many accounts may be affected. Identify LSASS dumping and domain controller installation media creation to identify affected accounts. Examine the activity of compromised accounts for any malicious actions or exposed data,” the post added.

Microsoft also recommends mitigating the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys. It also suggests reducing the attack surface, hardening the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices, and turning on cloud-delivered protection in Microsoft Defender Antivirus to cover evolving attacker tools, techniques, and behaviors such as those exhibited by Volt Typhoon.

The post also recommends running endpoint detection and response (EDR) in block mode, so that Microsoft Defender for Endpoint can block malicious artifacts, even when non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said in an emailed statement that geopolitical tensions are manifesting in cyberspace. “China is actively pulsing US critical infrastructure before it invades Taiwan. These attacks coupled with the debt crisis will serve as a prelude for the invasion of Taiwan,” he added.

“This APT is interesting in that it focuses on unpatched and insecure routers and other network devices and doesn’t use phishing as their primary initial access method,” Roger Grimes, data-driven defense evangelist at KnowBe4, wrote in an emailed statement. “Most human-directed adversaries now “live off the land”, using built-in tools and programs, making it significantly harder to detect malicious behavior.” 

Grimes added that every organization must examine what anomalous behavior looks like when being used by malicious adversaries, and how to detect and mitigate it. “This has been the new world of intrusion detection for going on a decade and now is the most common method. Ask yourself if your existing intrusion detection infrastructure could detect these types of attacks and if not, fix it!”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.