Microsoft has detected stealthy malicious activity by Volt Typhoon, a Chinese state-backed entity known for espionage and data collection. The focus of the attack was critical infrastructure entities in the US and it is believed that the attacks are part of a larger capability that China is building to disrupt crucial communication channels between the US and the Asia region during crises such as an invasion of Taiwan by China.
From the Microsoft Blog:
Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible. Microsoft is choosing to highlight this Volt Typhoon activity at this time because of our significant concern around the potential for further impact to our customers. Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness and further investigations and protections across the security ecosystem.
Volt Typhoon used living of the land techniques, specifically built-in network administration tools to fulfill their objectives and to avoid detection by blending into the normal Windows system and network activities. Volt Typhoon has leveraged compromised small office / home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the control and control (C2) traffic emanate from local ISPs in the geographic area of the victim.
The full list of TTPs can be found in the joint advisory that CISA along with other agencies put out.
