In a recent revelation, Microsoft has unveiled its discovery of Chinese state-backed hackers involved in siphoning data from critical infrastructure organizations in Guam, a strategically significant U.S. territory in the Pacific Ocean. The implications of Chinese-made cyberespionage malware surfacing in Guam are raising eyebrows, as the tiny island is regarded as a vital component in a potential military conflict between China and Taiwan.
Termed as "Volt Typhoon" by Microsoft, this stealthy and targeted malicious campaign focuses on post-compromise credential access and network system discovery. Microsoft's note documenting the APT discovery states that the campaign, with moderate confidence, aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.
In response to the alarming threat, the U.S. government's cybersecurity response agency, CISA, issued an urgent bulletin providing guidance on mitigation, indicators of compromise (IOCs), and other telemetry to aid defenders in detecting signs of compromise.
Microsoft reports that the hacking group, active since mid-2021, has targeted critical infrastructure organizations not only in Guam but also across various sectors in the United States. The targeted entities include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.
The primary objective of the threat actor is espionage, with an emphasis on maintaining undetected access for as long as possible. The group infiltrates target companies through internet-facing Fortinet FortiGuard devices and utilizes compromised small office/home office (SOHO) routers to obfuscate their activity's origins.
To achieve enhanced stealth and reduce infrastructure acquisition costs, Volt Typhoon leverages devices manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel. These devices, if improperly configured, allow the owner to expose management interfaces to the public internet. Microsoft advises owners of network edge devices to secure their attack surface by ensuring management interfaces are not exposed to the internet.
The report reveals that the group heavily relies on "living-off-the-land" commands to gather system information, identify additional devices within the network, and exfiltrate data.
Experts caution that while this discovery is concerning, it does not necessarily indicate imminent attacks. John Hultquist, Chief Analyst at Google-owned Mandiant, explains that states engage in long-term intrusions into critical infrastructure as part of their preparation for potential conflicts, as gaining access during a crisis could be too late. Russia and China have conducted similar contingency intrusions in various critical infrastructure sectors, not necessarily for immediate effect but as strategic preparations.
Although China's cyber operations exhibit aggression, it does not necessarily signify impending attacks. Hultquist emphasizes that a more reliable indicator of destructive and disruptive cyberattacks is a deteriorating
Other Posts you might be interested in:
Following statements made by the White House in May regarding the dangerous uses of AI, the biggest companies spearheading AI development including Google, Meta, Microsoft, OpenAI and Inflection have agreed on a list of eight voluntary commitments, with the ultimate goal of meliorating safety and usage of AI tools.
Read More
As companies generate and accumulate increasingly large amounts of data, it becomes essential for them to develop and implement data retention policies. These policies help companies manage their data in a consistent and secure manner while also ensuring they comply with legal requirements and regulations.
Read More
CrowdStrike, a cybersecurity company, has released a report revealing a significant increase in data theft activity. The report shows a huge increase in attacks on cloud architectures, with cases involving “cloud-conscious” actors tripling from 2021. With defenders’ scanning for malware, data extraction has become the preferred modus operandi of threat actors.
Read More