Microsoft has discovered covert and purpose-driven cyber attacks aimed at obtaining access to sensitive data and understanding network systems after a security breach. These attacks are specifically targeted at critical infrastructure firms within the United States. The malicious actions can be attributed to Volt Typhoon (VT), a group sponsored by the Chinese Government. This group is usually involved in spying and gathering sensitive information. Microsoft, with “moderate confidence,” states that Volt Typhoon’s ongoing campaign is preparing for the potential disruption of vital communication infrastructure between the US and Asia in case of future conflicts.
VT started operations mid-2021 and has a history of aiming its cyberattacks at essential infrastructure entities not only in Guam but also in other parts of the United States. During this campaign, the impacted organizations come from a diverse set of industries including “communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors” according to Microsoft. The group’s activities suggest a long-term plan for espionage and remaining undetected within the compromised systems for as long as they can.
To accomplish this, VT places a high priority on secrecy during a given operation. The group primarily depends on native resources and direct system interaction, also recognized as “living-off-the-land tactics and hands-on-keyboard activity” per Microsoft. They utilize command-line operations to gather information, which includes extracting credentials from local and network systems, package the data into an archive file for later extraction, and then use the stolen authentic credentials to continue their presence within the system. Moreover, Volt Typhoon attempts to camouflage activity by using compromised routers, firewalls, and VPN hardware to route traffic through Small Office/Home Office (SOHO) network components in an effort to conceal its activities.