An attack group associated with the Chinese government has set up shop on some critical infrastructure networks on Guam, activity that Microsoft researchers believe might be in preparation for future operations in the event of a political or military crisis in the region.
The newly disclosed activity is the work of a group that Microsoft calls Volt Typhoon, a threat actor affiliated with China’s government that has been working since about the middle of 2021. Microsoft researchers said the attackers have targeted critical infrastructure operators in Guam and elsewhere in the United States and are not deploying malware or other malicious tools on compromised machines, but instead are using utilities and other tools that are already available.
“In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft researchers said in a new post Wednesday.
“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.”
Guam is home to a significant U.S. military presence, including naval and air bases, and is an important communications base. Microsoft’s researchers said it is likely that this campaign is part of a long-term strategy to establish the ability to cause problems with U.S. communications should the need arise.
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the researchers said.
Attack teams aligned with the Chinese government are among the more active and skilled operators on the scene and have targeted U.S. interests consistently for many years. The U.S. intelligence community has warned about the ongoing activity from these groups, and on Wednesday the NSA, FBI, CISA, and other agencies issued a joint advisory alongside Microsoft’s research about the Volt Typhoon activity. A key characteristic of the Volt Typhoon activity is that the group uses living-off-the-land techniques, meaning it uses the built-in Windows tools and utilities for most of its post-compromise work. “One of the actor’s primary tactics, techniques, and procedures is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” the U.S. government advisory says.
The initial access vector for these attacks is a Fortinet FortiGuard device exposed to the Internet, although Microsoft’s researchers were not sure whether the attackers were exploiting a known vulnerability or using some other technique. After gaining the initial foothold, the Volt Typhoon actors then use whatever privileges they have on the device to find and extract other credentials. The attackers then start moving around the network, looking for more credentials and targets to move to. Most of the time, the Volt Typhoon actors use stolen, valid credentials to log into the target devices, but there are some exceptions.
“In rare cases, they also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy. Compromised organizations will observe C2 access in the form of successful sign-ins from unusual IP addresses. The same user account used for these sign-ins may be linked to command-line activity conducting further credential access,” Microsoft said.
Neither Microsoft nor the U.S. government identified any of the affected critical infrastructure organizations in this campaign, but both organizations recommend that potential targets enforce the use of MFA to mitigate the potential risk.