Microsoft Successfully Finds Chinese Hackers Target US And Asian Vital Infrastructure

Microsoft managed to uncover the dangerous activity targeted by Volt Typhoon (photo: Shahadat Rahman / Unsplash)

JAKARTA - Microsoft managed to uncover the dangerous activity targeted by Volt Typhoon, a Chinese sponsored actor and usually focuses on espionage and gathering information.

According to Microsoft, Volt Typhoon is targeting the development of capabilities that could disrupt important communication infrastructure between the United States (US) and the Asian region during future crises.

Volt Typhoon has been active since mid-2021 and is targeting critical infrastructure organizations in Guam and elsewhere in the US, as quoted from Microsoft's blog, Thursday, May 25.

In this campaign, the affected organizations include the communication, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.

The behavior that Microsoft has observed shows threat actors intend to carry out espionage and maintain access undetected as long as possible.

To achieve their goals, the threat actor puts a lot of emphasis on stealing in this campaign, relying almost exclusively on live-from-land techniques and live keyboard activity.

The company said the campaign was carried out secretly, including by combining normal network activity by smoothing traffic through network equipment such as routers, firewalls, and VPN hardware.

They issued an order via the command line to collect data, including credentials from local and network systems, enter data into archive files to perform exfiltration, and then use stolen valid credentials to maintain persistence.

In addition, Volt Typhoon is also trying to blend into normal network activity by reducing traffic through infiltrated small office and home network equipment (SOHO), including routers, firewalls, and VPN hardware.

Also observed, they use a special version of an open source tool to create a command and control channel (C2) through a proxy to stay under the radar.

Because this activity relies on valid accounts and live-off-the-land binaries (LOLBins), detecting and mitigating these attacks can be a challenge. The compromised account must be closed or changed.

As with the actors' activities of the countries observed, Microsoft has directly notified targeted or compromised customers, providing them with the important information needed to secure their environment.

The following are activities or behaviors related to Volt Typhoons tracked by Microsoft Defender Antivirus.

1. Behavior: Win32/SuspNtdsUtilUsage.A

2. Behavior: Win32/SuspPowershellExec.E

3. Behavior: Win32/SuspRemoteCmdCommandParent.A

4. Behavior: Win32/UNCFilePath Operation

5. Behavior: Win32/VSS AmsiCaller.A

6. Behavior: Win32/WinrsCommand.A

7. Behavior:Win32/WmiSuspProcExec.J!se

8. Behavior: Win32/WmicRemote.A

9. Behavior: Win32/WmiprvseRemoteProc.B