Unit 42 details Insidious Taurus PRC-sponsored cyber group targeting US critical infrastructure

New research from Palo Alto Networks’ Unit 42 team has revealed that Insidious Taurus (also known as Volt Typhoon) is recognized by U.S. government agencies and their international counterparts as cyber actors sponsored by the People’s Republic of China (PRC). The group is primarily engaged in infiltrating U.S. critical infrastructure IT networks, presumably to lay the groundwork for potential disruptive or destructive cyberattacks should a significant crisis or conflict arise with the U.S.

The Unit 42 details come amidst recent cyber attacks targeting critical infrastructure facilities that have resulted in significant data breaches, impacting operations at a Canadian oil pipeline company, a U.K.-based water company, and a U.S. hospital that is entering its third week of limited communication with patients after its network was hit with a cyberattack. These incidents reveal how sophisticated cybercriminals exploit weaknesses in security systems to disrupt services, steal sensitive information, or demand ransom.

In late 2021, Unit 42 observed a threat actor (now identified as Insidious Taurus) using a then-undisclosed Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) for initial access. While performing incident response activities, Unit 42 identified a connection to a network-attached storage (NAS) server with FTP running. It also found a sample of SockDetour in the trash of that NAS.  

“SockDetour is a custom backdoor used to maintain persistence, designed to serve as a backup backdoor in case a threat actor’s primary one is removed,” Unit 42 outlined in its Thursday threat brief. “The tactics and techniques used during this event aligned with what Microsoft then called DEV-0391, which is now known as Volt Typhoon.” 

It added that Insidious Taurus also uses one rarely used malware family, EarthWorm, as well as custom versions of open-source tools Impacket and Fast Reverse Proxy. “Employment of these tools further underscores our assessment of the attackers’ technical skill and their focus on remaining undetected. Exploiting vulnerabilities in internet-facing devices is a known initial access vector for Insidious Taurus. They are believed to have the capability to identify and develop their own zero-day exploits while also taking advantage of publically disclosed vulnerabilities and exploits.” 

Once initial access has been achieved, a common attribute of attacks is the need to generate as little malicious activity as possible to evade detection and blocking by protection software. Getting caught at all, let alone quickly, precludes operational success. 

Unit 42 detailed that the Insidious Taurus hackers take multiple steps to avoid detection, showing an overall technical ability only seen with advanced attackers. One of the ways they do this is by using compromised SOHO devices. Originating attacks from households or small businesses aids attackers because many do not have significant security protections in place. 

In addition to requiring manual software updates, SOHO devices are also rarely configured according to best practices by users and they have network management interfaces exposed directly online. Because of these things, many attackers of all motivations – including botnets – also recognize and use SOHO devices for malicious activity. This was true for the case Unit 42 worked in late 2021 where a connection led to the identification of the compromised NAS server.

Unit 42 pointed out that another common technique Insidious Taurus has used to remain undetected, formerly the sole realm of advanced attackers but now more widely used is a technique known as ‘living off the land.’ This is when attackers abuse legitimate tools – often those used by system administrators for legitimate purposes – for malicious use. 

If captured in logs, this activity often looks similar to legitimate network administration use. This includes network enumeration, determining account permissions, and even password recovery tools. Because of their widespread legitimate use, these tools are often on allow lists for download and can be difficult to detect when used for malicious activity. 

Another way actors can hide their activity when interacting with victim networks is to carry out their work using direct hands-on keyboard activity vs using scripts to automate an activity, the threat brief added. “By doing so, the attackers can hamper detection efforts again because their activity appears to be expected, human activity rather than a barrage of scripted commands to detect and interdict. For now, this technique remains one only used effectively by advanced attackers due to the required knowledge and skill.”

Industrial cybersecurity firm Dragos disclosed this week that it has been tracking activity by the Voltzite threat group, which overlaps with Volt Typhoon, since early 2023. The group has been observed performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base.

Based on the available public information, Unit 42 assesses Insidious Taurus as a top-tier, sophisticated APT. “We concur with the attribution made in both Joint Cyber Security Advisories that this activity is associated with a PRC state-sponsored actor. As activity from Insidious Taurus is challenging to detect, we agree with the CSA’s recommendations to focus on a few key areas. This includes mitigation activities such as updating any internet-facing device like SOHO equipment or virtual private networks (VPNs), as threat actors use these devices as part of a botnet or as an initial access vector.” 

It added that these recommendations also include strengthening the use of multifactor authentication and prioritizing sufficient logging, which can be especially important for detecting activity within an environment that could be indicative of living off the land techniques.

Last week, global cybersecurity agencies released joint guidance to provide threat detection information and mitigations applicable to ‘living-off-the-land’ activity, regardless of the threat hacker. Many organizations do not implement security best practice capabilities that support the detection of LOTL, so this technique continues to be effective with little to no investment in tooling by malicious cyber actors. 

The guidance provides several observed network defense weaknesses that make it difficult for IT administrators to distinguish malicious activity from legitimate behavior, even for those organizations with more mature cyber postures.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.