China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.
N2K logoMay 26, 2023

The Five Eyes call out Chinese intelligence services for quiet activity inside US critical infrastructure.

China's Volt Typhoon snoops into US infrastructure, with special attention to Guam.

A joint advisory from all Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States) reports a major Chinese cyberespionage operation that succeeded in penetrating a range of US critical infrastructure sectors. Microsoft, in its own report on Volt Typhoon, as the threat activity is being called, says the group has been active since at least the middle of 2021. The targets of the spying have extended to the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Microsoft writes that, "Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible." It does this, the Five Eyes stress, by carefully living off the land, exploiting existing legitimate administrative tools and privileges in its targets.

Is this operation battlespace preparation?

Much of Volt Typhoon's activity has been directed against Guam, a US Territory in the Western Pacific that hosts important US military bases. Those bases would be important to any US intervention on behalf of Taiwan, should China decide to take a page from Russia's geopolitical playbook and invade what it regards as a renegade province. For its part China dismisses the reports as a coordinated American disinformation campaign, and denies that it's engaged in any of the activities the Five Eyes and Microsoft associate with Volt Typhoon.

Microsoft assesses that this attack could be an effort to enable a disruption of communications between the US military and its Asian allies. “Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.”

John Hutquist, Chief Analyst for Mandiant Intelligence, points out, correctly, that battlespace preparation does not mean an attack is imminent. This kind of activity could be routine state-on-state espionage. “There are a variety of reasons actors target critical infrastructure, but a persistent focus on these sectors may indicate preparation for disruptive or destructive cyberattack," Hultquist writes. "Preparation does not mean attacks are inevitable. States conduct long-term intrusions into critical infrastructure to prepare for possible conflict, because it may simply be too late to gain access when conflict arises. Similar contingency intrusions are regularly conducted by states. These operations are aggressive and potentially dangerous, but they don't necessarily indicate attacks are looming. A far more reliable indicator for destructive and disruptive cyberattack is a deteriorating geopolitical situation. A destructive and disruptive cyberattack is not just a wartime scenario either. This capability may be used by states looking for alternatives to armed conflict.”

Tim Wade, Deputy CTO at Vectra AI, explains that this kind of activity, as inured as we may have become to cyberespionage, still poses a significant risk to industries and their equities. “Cyber security attacks do not exist in a geopolitical vacuum and it is no secret that tensions between the US and China have escalated. While on one hand this is a continuation of the long standing tradition of cyber espionage on behalf of the Chinese government, this is clearly evidence of exercising and exploring the full set of capabilities afforded them in the face of this escalation. While it's less alarming for day-to-day business leaders to think that this may just be posturing between titans, the reality is that collateral damage across adjacent industries and services is inevitable and the precedent for economic damage as a viable tactic has already been firmly established -- as such, business and technology leaders should take stock of the current landscape, understand and update their risk appetites and exposures, and plan accordingly."

Chinese threat actors gained entry via Fortinet and FortiGuard devices. 

Microsoft’s report explains that internet facing Fortinet and FortiGuard devices were penetrated by unknown means. Microsoft writes “The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.”, adding “Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.”

Volt Typhoon is living off the land.

Both Microsoft's and the government’s reports explain that Volt Typhoon is using living-off-the-land techniques to avoid detection. This technique utilizes tools that are already installed on the host network, which means that the security systems may not detect the activities, as the actor can blend in with regular Windows traffic.. “Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell,” according to the joint report.  

Jason Kent, Hacker in Residence with Cequence Security, writes “"Living off the land is a concept that has been around in the security community for a long time. It's why we security professionals say that everything needs to be patched. Many of these types of vulnerabilities are simply unpatched systems that some third party has provided. This means that often, they aren't considered a high priority. Just as with our own revelation when we found LoNg4j, the Log4j vulnerability that often persists in third-party systems, we knew that being a vendor means you have to stay on top of it. Getting these systems found and patched is now a very high priority. Getting the vendors to tell them is going to be difficult, if not impossible. Inventory of everything is important, that needs to include all systems–not just the ones the organization has procured for its own use.”

Recommendations for mitigating the risks of Volt Typhoon.

Roger Grimes, data-driven defense evangelist at KnowBe4, points out that this could be avoided if organizations regularly patched their devices to fix known exploited vulnerabilities. He writes, "This APT is interesting in that it focuses on unpatched and insecure routers and other network devices and doesn't use phishing as their primary initial access method. All organizations need to subscribe to CISA's Known Exploited Vulnerability Catalog and if a vulnerability is on there and is in your environment, make sure it is patched and secure. You don't have to worry about the other 96% of software and firmware vulnerabilities that are never exploited. Concentrate on the 4% that are in the CISA KEVC list and get them secure!"

The joint advisory includes its own recommendations for preventing such an attack:

  • Defenders should harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. 

Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.

  • Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required [2.X].
  • Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
  •  In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
  • Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
  • Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network.

John Shier, Field CTO at Sophos, writes “Since many threat actor activities rely on valid credentials and LOLBins, detection and mitigation can be challenging. Such is the challenge that organizations today require proactive protection, constant monitoring, and a rapid response to suspicious signals. Organizations that invest in the technologies and people required to defend against attacks by nation-state adversaries will also be well positioned to defend against even the most experienced cybercriminals.”