UK National Cyber Security Center (NCSC), alongside the intelligence agencies of the English-speaking Five Eyes alliance, issued directives highlighting a campaign of Chinese state-sponsored activities targeting Critical National Infrastructure (CNI) networks.
Working alongside Microsoft – which attributed the malicious activity campaign to an advanced persistent threat actor he nicknamed Volt Typhoon having recently revised its threat actor naming taxonomy – Intelligence Community Disclosure includes technical indicators of compromise and examples of tactics, techniques and procedures used by the group.
“It is vital that operators of critical national infrastructure take steps to prevent attackers from lurking on their systems, as described in this joint advisory with our international partners,” said NCSC Chief Operating Officer Paul Chichester.
“We strongly encourage essential service providers in the UK to follow our guidance to help detect this malicious activity and prevent persistent compromises.”
According to Microsoft, Volt Typhoon has been active for about two years and has targeted multiple CNI operators on the US Pacific island territory of Guam, as well as the US itself. Targeted organizations include communications service providers, manufacturers, utilities, transportation operators, construction companies, IT companies, educational institutions, and government agencies.
According THE New York Times, attention to Guam is of particular concern given the territory’s proximity to Taiwan and its value to the United States in preparing a military response for the defense of Taiwan should china attack it.
Microsoft said that based on the behavior it observed, Volt Typhoon “intends to spy and maintain access undetected for as long as possible.”
It tends to access its victims’ networks through vulnerable Fortinet FortiGuard devices and then blends into normal network activity by routing its traffic through compromised network edge devices for small offices and home offices, including the Asus, Cisco, D-Link, Netgear and Zyxel hardware.
Once installed in its target network, Volt Typhoon becomes particularly stealthy, using techniques and living-off-the-land binaries (LOLbins) to extract data and credentials. This makes detecting its activity a particularly gruesome challenge for defenders, since LOLbins are “natural” tools and executables in the operating system used for legitimate purposes.
Marc Burnard, Secureworks’ senior consultant for information security research and thematic lead for China, said the group – which Secureworks follows as Bronze Silhouette – has a “constant focus” on operational security. – minimizing its footprint, deploying advanced techniques to avoid detection, and utilizing previously compromised infrastructure.
“Think of an undercover spy, his goal is to blend in and go unnoticed,” he said. “Bronze Silhouette does just that by mimicking typical network activity. This suggests a level of operational maturity and adherence to a modus operandi designed to reduce the likelihood of detection and attribution of network activity. group intrusion.
“The incorporation of operational security, particularly when targeting Western organizations, is consistent with network compromises that CTU researchers have attributed to Chinese threat groups in recent years,” Burnard added.
“These business developments were likely prompted by a series of high-profile US Department of Justice indictments against Chinese nationals allegedly involved in cyber espionage activities, public exposures of such activity by security, which probably led to increased pressure from the leadership. within the People’s Republic of China to avoid public scrutiny of its cyber espionage activities.
“China is known to be highly skilled in cyber espionage and Bronze Silhouette emphasizes its relentless focus on adaptation to pursue its end goal of acquiring sensitive information,” he said.
Advice
Microsoft said organizations that find themselves affected by Volt Typhoon should immediately close or change the credentials of all affected accounts and review their activity for any malicious actions or exposed data.
Organizations also have a variety of tools to defend against this activity, many of which fall under the category of basic cybersecurity hygiene. These include:
- Apply appropriate multi-factor authentication and credential management policies;
- Reduce the attack surface by enabling rules to block credential theft, process spawns, and execution of potentially obfuscated scripts;
- Hardening the Local Security Authority Subsystem Service Process by enabling Protective Process Light for LSASS on Windows 11 devices and Windows Defender Credential Guard if not enabled by default;
- Enabling cloud-delivered protections available through Microsoft Defender Antivirus;
- Running endpoint detection and response in block mode to allow Microsoft Defender for Endpoint to block malicious artifacts even if a non-Microsoft antivirus product hasn’t detected them.
China strikes back
Meanwhile, the Chinese government reacted angrily to the revelations, accusing the Five Eyes alliance of waging a disinformation campaign.
A Chinese Foreign Ministry spokesperson said the report was “grossly unprofessional” and not supported by sufficient evidence.
