In a recent revelation, Microsoft has unveiled its discovery of Chinese state-backed hackers involved in siphoning data from critical infrastructure organizations in Guam, a strategically significant U.S. territory in the Pacific Ocean. The implications of Chinese-made cyberespionage malware surfacing in Guam are raising eyebrows, as the tiny island is regarded as a vital component in a potential military conflict between China and Taiwan.
Termed as "Volt Typhoon" by Microsoft, this stealthy and targeted malicious campaign focuses on post-compromise credential access and network system discovery. Microsoft's note documenting the APT discovery states that the campaign, with moderate confidence, aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.
In response to the alarming threat, the U.S. government's cybersecurity response agency, CISA, issued an urgent bulletin providing guidance on mitigation, indicators of compromise (IOCs), and other telemetry to aid defenders in detecting signs of compromise.
Microsoft reports that the hacking group, active since mid-2021, has targeted critical infrastructure organizations not only in Guam but also across various sectors in the United States. The targeted entities include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.
The primary objective of the threat actor is espionage, with an emphasis on maintaining undetected access for as long as possible. The group infiltrates target companies through internet-facing Fortinet FortiGuard devices and utilizes compromised small office/home office (SOHO) routers to obfuscate their activity's origins.
To achieve enhanced stealth and reduce infrastructure acquisition costs, Volt Typhoon leverages devices manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel. These devices, if improperly configured, allow the owner to expose management interfaces to the public internet. Microsoft advises owners of network edge devices to secure their attack surface by ensuring management interfaces are not exposed to the internet.
The report reveals that the group heavily relies on "living-off-the-land" commands to gather system information, identify additional devices within the network, and exfiltrate data.
Experts caution that while this discovery is concerning, it does not necessarily indicate imminent attacks. John Hultquist, Chief Analyst at Google-owned Mandiant, explains that states engage in long-term intrusions into critical infrastructure as part of their preparation for potential conflicts, as gaining access during a crisis could be too late. Russia and China have conducted similar contingency intrusions in various critical infrastructure sectors, not necessarily for immediate effect but as strategic preparations.
Although China's cyber operations exhibit aggression, it does not necessarily signify impending attacks. Hultquist emphasizes that a more reliable indicator of destructive and disruptive cyberattacks is a deteriorating
Other Posts you might be interested in:
As companies generate and accumulate increasingly large amounts of data, it becomes essential for them to develop and implement data retention policies. These policies help companies manage their data in a consistent and secure manner while also ensuring they comply with legal requirements and regulations.
Read More
Amidst the proliferation of AI tools, Google has announced new features that allow users to protect themselves from threats, identify AI-generated images and further protect sensitive data.
Read More
Google Cloud has made its Assured Open Source Software platform free, which provides access to vetted open source software packages. The program includes over 1,000 Java and Python packages and features advanced security testing methods to ensure the packages are safe and reliable for developers to use.
Read More