IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

China-Backed Group Targets Government, Education and Infrastructure

A nation-state sponsored actor is using living-off-the-land techniques to hide its activity and spy on U.S. targets, and possibly plan communication disruptions, Microsoft said. CISA and Microsoft released details to help potential victims identify and mitigate the threat.

A yellow exclamation mark inside a yellow triangle on a blue background with lines of code running through it.
Government, education and other critical infrastructure sectors in the U.S. should be on alert for malicious activity from a China-backed cyber espionage group, according to Microsoft.

The company reported discovering “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery” that it attributed to Volt Typhoon, a state-backed group known for information gathering and espionage.

The threat actors have been gaining initial access to victims’ organizations through Internet-facing Fortinet FortiGuard devices, and Microsoft “continues to investigate Volt Typhoon’s methods for gaining access to these devices,” the company said.

Several resources are available to help entities that may be targeted learn more about the threat.

The Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with federal and international partners that details Volt Typhoon’s techniques, tactics and procedures; indicators of compromise; and mitigations. Microsoft offered its own advice in a blog post.

“In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors,” Microsoft wrote. “Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”

Once Volt Typhoon has access to a target’s system, it starts looking to learn about the system, find devices on the network and exfiltrate data, Microsoft said. The attackers use legitimate tools to conduct these efforts, helping hide their activities. This technique is known as “living-off-the-land.”

Such an approach “allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations,” CISA and partners wrote.

This strategy also creates the risks of false positives when victims try to crack down, because organizations might mistakenly flag benign activities as malicious ones.

In this campaign, Volt Typhoon may be looking to develop “capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” Microsoft said, stating it has “moderate confidence” that this is the case.

According to Reuters, “Security analysts expect Chinese hackers could target U.S. military networks and other critical infrastructure if China invades Taiwan.” Among the targets for Volt Typhoon espionage is the U.S. territory of Guam, which houses military bases that “would be key to responding to any conflict in the Asia-Pacific region” and has submarine communications cables connecting the U.S. with Asia and Australia.

Chinese foreign ministry spokesperson Mao Ning disputed the hacking allegations, according to Reuters.