Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering carried out the attack. Active since 2021, targeting infrastructure organizations in Guam and the U.S. that reach sectors such as communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
Microsoft has uncovered and warned, on Wednesday May 24th, “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States”.
The concern about the hack is rooted in its being directed at Guam, a U.S. territory and island of Micronesia which serves as a crucial military hub. The island, which is the westernmost U.S. territory, serves as a means of deterrence and would be critical in responding to Chinese encroachment in the Asia-Pacific region.
On their official blog they wrote “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises”. OCD Tech editorial team summarizes the bulletin from The National Security Agency, detailing how the hack works and how cybersecurity teams should respond.
“The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide”.
“One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise”.
Mitigations
The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
· Defenders should harden domain controllers and monitor event logs [2.T] for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
· Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required [2.X].
· Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
· In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
· Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
· Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network
The complete bulletin can be read at The National Security Agency
Stay informed of the latest cybersecurity news at OCD Tech blog.
