Microsoft has discovered malicious activity by Volt Typhoon, a state-sponsored threat actor based in China, aimed at U.S. critical infrastructure organizations.

The campaign is focused on post-compromise credential access and network system discovery. Volt Typhoon typically focuses on espionage and information gathering.

Volt Typhoon is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises, according to Microsoft.

The threat actor has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, IT and education sectors.

Observed behavior suggests the threat actor intends to perform espionage and maintain access without being detected for as long as possible.

How Volt Typhoon Gains Initial Access

“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity,” Microsoft said in a blog. “Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices. Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices. The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.”

Once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times.

Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network and exfiltrate data.

“As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments,” Microsoft said.

Actions by Volt Typhoon Could be Construed as ‘Act of War’

Bugcrowd’s Casey Ellis

Casey Ellis, Bugcrowd‘s founder and CTO, said the types of direct action Volt Typhoon could take depend on their level of access, and the vulnerabilities and design weakness that exist within the organizations they’ve compromised.

“There are plenty of examples of threat actors manipulating the power grid, for example,” he said. “But this would require that to be possible for that particular grid in the first place. It’s also worth noting that tampering or destroying critical infrastructure by a known state-sponsored threat actor could very easily be construed as an act of war, opening the possibility for escalation, which will hopefully act as a deterrent to these kinds of actions.”

Organizations can protect themselves by understanding their network environment, ensuring vulnerabilities are being identified and managed properly, and proactive threat hunting, Ellis said.

Andrew Barratt, Coalfire‘s vice president, said this is a significant threat for a number of reasons, not the least of which is gaining access via compromising security devices such as firewalls.

“Then by using tools present in the environment, they are aiming to remain persistent and evasive,” he said. “This is less observed in criminal actors and more like classic espionage or nation-state activity. The compromise of security devices will for certain lead to follow-on criminal activity as copy cats will leverage the vulnerabilities against mid-size firms who have perhaps a hard-shell security model, but are a little weaker internally and exposed to more persistent intruders. Quick payouts are almost certainly going to come from ransomware in these scenarios.”

Big Questions Around Volt Typhoon’s Intentions, Motives

Delinea’s Joseph Carson

Joseph Carson, Delinea‘s chief security scientist and advisory CISO, said critical national infrastructure(CIN) is the “backbone to our digital societies and keeps our world in motion, so when nation-state actors target critical infrastructure it is a move that increases fear.”

“The big question is always about what are the intentions and motives, whether to identify potential targets for cyberattacks, steal intellectual property, or simply to cause disruption and interference,” he said. “Cyberattacks and abuse of unauthorized access is always a major topic. However, when it targets critical infrastructure, this should be a top priority to defend and warn off any attackers.”

This Volt Typhoon campaign is “alarming,” Carson said.

“The attackers are exploiting vulnerabilities, performing hands-on keyboard access to enumerate the victim’s networks, stealing credentials and elevating privileged access,” he said. “These recent events increase the importance on protecting remote access, credentials security and protecting privileged access with stronger security controls, auditability and implementing the principle of least privileged, which is an important methodology that supports a zero-trust architecture. It also shows that enforcing just-in-time and just-enough privilege policies should become the norm as they reduce the risk related to standing privileges and align with zero trust best practices.”

Long-Term Espionage Campaigns

Ontinue’s Craig Jones

Craig Jones, Ontinue‘s vice president of security operations, said Chinese-backed advanced persistent threat (APT) groups exhibit a high level of sophistication, capabilities and resources.

“These groups specialize in conducting targeted, long-term cyber espionage campaigns,” he said. “What distinguishes China-backed APT groups is their ability to blend advanced technical skills with a deep understanding of their targets, enabling them to execute highly tailored and customized attacks. Their involvement in intellectual property theft and the exploitation of supply chain vulnerabilities further underscores their strategic approach. Moreover, China’s proficiency in utilizing zero-day exploits adds another layer of complexity to their cyber activities. As the cybersecurity landscape continues to evolve, addressing China’s utilization of zero-day attacks remains a crucial aspect of bolstering defenses and safeguarding against emerging threats.”