Malware that can move almost undetected through networks has been deployed by Chinese state-sponsored cybercriminals against critical infrastructure in the US, the Five Eyes security alliance has warned. The gang behind the breach, Volt Typhoon, is using what’s known as a “living off the land” attack to compromise businesses in sectors including telecoms and energy.
A joint advisory from cybersecurity agencies in the Five Eyes nations – the US, UK, Australia, Canada and New Zealand – says Volt Typhoon is able to run undetected in crucial networks using built-in network administration tools to perform its objectives, a technique known as “living off the land”. It could target other nations as well as the US, the Five Eyes alliance believes.
Volt Typhoon found throughout US critical national infrastructure
Affected companies include organisations in the communications, manufacturing and IT sectors, as well as government agencies, though the advisory does not give any indication on the extent of the problem.
Volt Typhoon’s malware has also been found in critical infrastructure organisations in the US military outpost of Guam in the Pacific Ocean. Researchers at Microsoft have also been tracking the group’s activities, and say with “moderate confidence” that the campaign could disrupt critical communications infrastructure between the United States and Asia in the event of a future crisis.
The Chinese government has hit back at the allegations. Chinese foreign ministry spokesperson Mao Ning said earlier today that the cyber espionage allegations were a “collective disinformation campaign” from the Five Eyes countries. She added that the involvement of Microsoft shows the US is expanding into channels of disinformation beyond government agencies. “But no matter what varied methods are used, none of this can change the fact that the United States is the empire of hacking,” Ning said at a press briefing in Beijing
How Chinese cybercriminals are accessing US networks
Microsoft believes Volt Typhoon accesses systems through devices running Fortinet’s FortiGuard security software, explains Microsoft. “The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials,” it said in a blog post.
Compromised small and home office network devices belonging to staff working remotely were used as intermediate infrastructure to obscure criminal activity, the report reveals. These would be deployed as emulators to make it seem like network activity was coming from an internet provider in the geographic area of the victim, rather than from the hackers.
To mitigate these attacks, defenders should harden domain controllers and monitor event logs. Any use of administrator privilege should be audited and validated to confirm the legitimacy of executed commands. Defenders should also investigate unusual IP addresses and ports in command lines, registry entries and firewall logs to identify other hosts that are potentially involved in actor actions, the agencies recommend.
Paul Chichester, NCSC director of operations said it is “vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners.” He added: “We strongly encourage UK essential service providers to follow our guidance to help detect this malicious activity and prevent persistent compromise.”