Researchers at Microsoft detailed a sophisticated cyberattack aimed at critical U.S. infrastructure, orchestrated by an alleged China-based state-sponsored actor.
The threat actor goes by the name, Volt Typhoon, has been active since mid-2021 and is suspected of preparing to disrupt U.S.-Asia communication networks in potential future crises. The sectors affected by the campaign include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology and education.
Its campaign emphasizes stealth, using advanced techniques such as living-off-the-land binaries of LOLBins and hands-on-keyboard activity. The TTP include gathering credentials, staging data for exfiltration, and maintaining persistence in compromised systems using valid credentials.
The group obfuscates itself by attempting to blend with typical network activity by routing traffic through compromised small office and home office network equipment and establishing C2 channels over proxies using custom open-source tools.
The U.S. intelligence agencies first became aware of the Volt Typhoon campaign in February, at around the same time an alleged Chinese spy balloon crossed North America. The infiltration is focused on communications infrastructure in Guam and other parts of the U.S., alarming intelligence officials because Guam is vital to any response to a future invasion of Taiwan.
The researchers note that detecting and mitigating infiltration by Volt Typhoon can be difficult due to the use of valid accounts and LOLBins. To address compromised accounts, Microsoft has provided detailed information on Volt Typhoon’s activities, mitigation strategies, best practices, and details on how Microsoft 365 Defender detects such activity.
Microsoft has notified targeted or compromised customers directly and provided the necessary information to secure their systems.
Defending against this campaign
- Mitigate the risk of compromised valid accounts by enforcing strong MFA policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
- Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:
- Block credential stealing from the Windows local security authority subsystem (lsass.exe).Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
- Block execution of potentially obfuscated scripts.
- Harden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In addition, enable Windows Defender Credential Guard, which is also turned on by default for organizations using the Enterprise edition of Windows 11.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors such as those exhibited by Volt Typhoon.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.
Indicators of Compromise