In a recent revelation, Microsoft has unveiled its discovery of Chinese state-backed hackers involved in siphoning data from critical infrastructure organizations in Guam, a strategically significant U.S. territory in the Pacific Ocean. The implications of Chinese-made cyberespionage malware surfacing in Guam are raising eyebrows, as the tiny island is regarded as a vital component in a potential military conflict between China and Taiwan.
Termed as "Volt Typhoon" by Microsoft, this stealthy and targeted malicious campaign focuses on post-compromise credential access and network system discovery. Microsoft's note documenting the APT discovery states that the campaign, with moderate confidence, aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.
In response to the alarming threat, the U.S. government's cybersecurity response agency, CISA, issued an urgent bulletin providing guidance on mitigation, indicators of compromise (IOCs), and other telemetry to aid defenders in detecting signs of compromise.
Microsoft reports that the hacking group, active since mid-2021, has targeted critical infrastructure organizations not only in Guam but also across various sectors in the United States. The targeted entities include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.
The primary objective of the threat actor is espionage, with an emphasis on maintaining undetected access for as long as possible. The group infiltrates target companies through internet-facing Fortinet FortiGuard devices and utilizes compromised small office/home office (SOHO) routers to obfuscate their activity's origins.
To achieve enhanced stealth and reduce infrastructure acquisition costs, Volt Typhoon leverages devices manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel. These devices, if improperly configured, allow the owner to expose management interfaces to the public internet. Microsoft advises owners of network edge devices to secure their attack surface by ensuring management interfaces are not exposed to the internet.
The report reveals that the group heavily relies on "living-off-the-land" commands to gather system information, identify additional devices within the network, and exfiltrate data.
Experts caution that while this discovery is concerning, it does not necessarily indicate imminent attacks. John Hultquist, Chief Analyst at Google-owned Mandiant, explains that states engage in long-term intrusions into critical infrastructure as part of their preparation for potential conflicts, as gaining access during a crisis could be too late. Russia and China have conducted similar contingency intrusions in various critical infrastructure sectors, not necessarily for immediate effect but as strategic preparations.
Although China's cyber operations exhibit aggression, it does not necessarily signify impending attacks. Hultquist emphasizes that a more reliable indicator of destructive and disruptive cyberattacks is a deteriorating
Other Posts you might be interested in:
Dutch cybersecurity firm ThreatFabric has detected a new variant of the Android Trojan Xenomorph, classified as Xenomorph.C. This new version introduces a number of new features, which allows attackers to automate fraudulent transactions without human interaction. Xenomorph's creators, Hadoken Group plan to target hundreds of banks across all continents.
Read More
As companies generate and accumulate increasingly large amounts of data, it becomes essential for them to develop and implement data retention policies. These policies help companies manage their data in a consistent and secure manner while also ensuring they comply with legal requirements and regulations.
Read More
Explore essential cybersecurity practices for small and medium-sized businesses, covering employee training, password policies, multi-factor authentication, and more. Elevate your business's security with DeepBlue Computers, offering customized solutions and expertise to fortify against evolving cyber threats.
Read More