Microsoft and the “Five Eyes” countries announced Wednesday that a China-based stealth group has successfully gained a permanent foothold without being detected by critical infrastructure entities in the United States and Guam.
The technology giant’s threat intelligence team tracks activities such as post-compromise credential access and network system discovery under the following names: bolt typhoon.
The state-sponsored attackers have been operating for espionage and intelligence-gathering purposes, and the cluster has been active since June 2021, leveraging tools already installed or embedded on infected machines to hide their footprints. increase.
Prominent sectors targeted include telecommunications, manufacturing, utilities, transportation, construction, shipping, government, information technology, education, and others.
The company further assessed with moderate confidence that the campaign “seeks to develop capabilities that could disrupt critical telecommunications infrastructure between the United States and the Asian region in the event of a future crisis.” bottom.
This attack is characterized by its reliance solely on Living-off-the-land (LotL) techniques to exfiltrate data from local web browser applications and leverage stolen credentials for backdoor access. It’s about being “focused” on being discreet.
Its primary purpose is to evade detection by blending in with normal Windows system and network activity to demonstrate that the attacker is deliberately unobtrusive and accessing sensitive information.
“In addition, the Volt Typhoon attempts to blend in with normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment such as routers, firewalls, and VPN hardware. ,” said Microsoft.
Another uncommon technique uses custom versions of open source tools to establish command and control (C2) channels through proxies as well as compromised servers of other organizations within the C2 proxy network. to hide the source of the attack.
In one incident reported by The New York Times, a hostile group infiltrated the telecommunications network of Guam, a classified US military outpost in the Pacific, and installed a malicious webshell.
While the initial entry vector involves exploiting Internet-connected Fortinet FortiGuard devices with unknown zero-day flaws, Volt Typhoon has also been observed weaponizing flaws in Zoho ManageEngine servers. The access is then exploited to steal credentials and infiltrate other devices on the network.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
The Windows makers also noted that they have directly notified targeted and compromised customers and provided them with the information they need to help protect their environment.
However, he warned that mitigating such risks could be “particularly difficult” when attackers leverage valid accounts or resident binaries (LOLBins) to carry out their attacks.
Secureworks, which monitors the threat group under the name Bronze Silhouette, said it “demonstrates careful consideration of operational security.” […] And they rely on compromised infrastructure to prevent detection and identification of intrusive activity. ”
The move also targeted the Kenyan government in a three-year, wide-ranging series of attacks against key ministries and state institutions in an attempt by Chinese hackers to obtain information on “debts owed by East African countries to the Chinese government.” This follows a statement by Reuters. nation. “
This digital attack is suspected to be carried out by BackdoorDiplomacy (aka APT15, Playful Taurus, or Vixen Panda). BackdoorDiplomacy has been known to target governments and diplomatic organizations in North America, South America, Africa, and the Middle East since at least 2010. .
