In a recent revelation, Microsoft has unveiled its discovery of Chinese state-backed hackers involved in siphoning data from critical infrastructure organizations in Guam, a strategically significant U.S. territory in the Pacific Ocean. The implications of Chinese-made cyberespionage malware surfacing in Guam are raising eyebrows, as the tiny island is regarded as a vital component in a potential military conflict between China and Taiwan.
Termed as "Volt Typhoon" by Microsoft, this stealthy and targeted malicious campaign focuses on post-compromise credential access and network system discovery. Microsoft's note documenting the APT discovery states that the campaign, with moderate confidence, aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.
In response to the alarming threat, the U.S. government's cybersecurity response agency, CISA, issued an urgent bulletin providing guidance on mitigation, indicators of compromise (IOCs), and other telemetry to aid defenders in detecting signs of compromise.
Microsoft reports that the hacking group, active since mid-2021, has targeted critical infrastructure organizations not only in Guam but also across various sectors in the United States. The targeted entities include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.
The primary objective of the threat actor is espionage, with an emphasis on maintaining undetected access for as long as possible. The group infiltrates target companies through internet-facing Fortinet FortiGuard devices and utilizes compromised small office/home office (SOHO) routers to obfuscate their activity's origins.
To achieve enhanced stealth and reduce infrastructure acquisition costs, Volt Typhoon leverages devices manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel. These devices, if improperly configured, allow the owner to expose management interfaces to the public internet. Microsoft advises owners of network edge devices to secure their attack surface by ensuring management interfaces are not exposed to the internet.
The report reveals that the group heavily relies on "living-off-the-land" commands to gather system information, identify additional devices within the network, and exfiltrate data.
Experts caution that while this discovery is concerning, it does not necessarily indicate imminent attacks. John Hultquist, Chief Analyst at Google-owned Mandiant, explains that states engage in long-term intrusions into critical infrastructure as part of their preparation for potential conflicts, as gaining access during a crisis could be too late. Russia and China have conducted similar contingency intrusions in various critical infrastructure sectors, not necessarily for immediate effect but as strategic preparations.
Although China's cyber operations exhibit aggression, it does not necessarily signify impending attacks. Hultquist emphasizes that a more reliable indicator of destructive and disruptive cyberattacks is a deteriorating
Other Posts you might be interested in:
As companies generate and accumulate increasingly large amounts of data, it becomes essential for them to develop and implement data retention policies. These policies help companies manage their data in a consistent and secure manner while also ensuring they comply with legal requirements and regulations.
Read More
Microsoft and HPE faced separate breaches by the state-sponsored threat group Midnight Blizzard, with the latter's attack involving data theft from HPE's cloud-based email environment. Both incidents were initiated through password spray attacks, emphasizing the need for organizations to implement multifactor authentication and robust security measures. The challenges posed by nation-state actors underscore the importance of thorough incident response plans and heightened security standards to adapt to the evolving threat landscape.
Read More
There is a new threat that job seekers and employers should be aware of - phishing and malware campaigns that target individuals during the current economic downturn. By exploiting job-themed emails, attackers are attempting to steal sensitive information or hack into devices.
Read More