How the Chinese-backed APT group ‘Volt Typhoon’ infiltrated US critical infrastructure organizations

Microsoft Warns of China-Backed APT Infiltrating US Critical Infrastructure

Microsoft has reported an active threat group, dubbed “Volt Typhoon,” sponsored by China that has gained persistent access to telecom and other critical infrastructure networks in the US with a focus on espionage and potentially, cyber warfare. The group, which has previously been observed in cyber espionage activities by Microsoft and Mandiant, is establishing capabilities that could disrupt critical communications infrastructure between the US and the Asia-Pacific region during potential future crises, according to Microsoft’s analysis.

Observations and Goals of China-Backed APT Group

The discovery of the Volt Typhoon threat group’s activity comes at a time of declining diplomatic relations between Beijing and Washington, primarily due to the recent shooting down of a Chinese spy balloon in US airspace and in the wake of Russia’s invasion of Ukraine possibly spurring China to take action in Taiwan. The Times report indicated that in the event of a military crisis, the disabling of US communications infrastructure could prevent the country’s entrance into the conflict in Taiwan. Moreover, a disruptive cyber attack could also act as a proxy for kinetic action against the US. Yet, John Hultquist, chief analyst at Mandiant Intelligence – Google Cloud, stated that China is not alone in conducting contingency intrusions. In the last decade, Russia has similarly targeted critical infrastructure sectors that we do not believe were designed for immediate effect.

Technical Details and Mitigation Advice

Volt Typhoon uses Internet-facing Fortinet FortiGuard devices as entry points, extracting account credentials from those accounts to access other devices on the network. It uses command line and living-off-the-land binaries to locate and retrieve information on the system, find additional devices on the network, and exfiltrate data. To mask its attempts, Volt Typhoon used compromised home offices, routers, and edge devices as proxies for network traffic. Microsoft is currently researching how the Fortinet devices were breached by the APT.

The NSA has published an advisory on Volt Typhoon (PDF), which provides further details on how to hunt for the APT. Additionally, Microsoft provides mitigation advice and indicators of compromise in its analysis of the Volt Typhoon campaign.

Editorial

The reported Chinese cyber espionage and possible warfare capabilities are concerning, particularly as it targets critical infrastructure services in the US. While it is still unsure how the Fortinet devices were breached, it is essential to note that Volt Typhoon’s ability to establish persistent access in US telecom networks is alarming. This is a crucial reminder that it is vital first to identify cybersecurity risks and vulnerabilities, and then take appropriate mitigation measures to ensure the integrity and security of such critical systems. Furthermore, this case emphasizes the importance of international cooperation on cybersecurity, such as the US-China cybersecurity agreement, to avoid mishaps and protect sensitive infrastructure from cyber attacks.

Philosophical Discussion and Advice

The use of diplomacy to address cybersecurity and cyber warfare concerns is a core principle of the overall security theory. As tension between the US and China continues to escalate, it is clear that the two countries must work together to ensure a stable and secure cyberspace. International cooperation ensures that collaboration is possible in addressing common cybersecurity challenges, such as cyber espionage and cyber warfare. Organizations are advised to stay vigilant and stay ahead of potential threats by investing in the necessary resources and personnel to bolster their cybersecurity measures. Implementing best practices and using specialized cybersecurity tools will minimize the risk of sensitive data breaches, network infiltration, and data exfiltration.