Broad campaign underway to access US critical infrastructure using small, home office devices
First published on
- Microsoft researchers and federal authorities are warning about a malicious cyber campaign against U.S. critical infrastructure providers that may be designed to disrupt communications with Asia amid growing hostilities with the People’s Republic of China.
- A state-sponsored threat actor, which Microsoft identified as Volt Typhoon under its new naming taxonomy, is operating a stealth campaign that abuses small office, home office routers, firewalls and VPN devices to blend into normal daily activity. The hackers are abusing internet-facing Fortinet FortiGuard devices to gain initial access into companies and leveraging compromised SOHO devices from a range of companies, including ASUS, Cisco, D-Link, Netgear and Zyxel.
- The Cybersecurity and Infrastructure Security Agency, along with the FBI, the National Security Agency and cyber agencies from the Five Eyes, issued an advisory about the campaign Wednesday. Officials said the hackers are using living-off-the-land techniques to blend in with normal Windows activity and evade discovery by endpoint detection and response software.
Volt Typhoon, active since 2021, has targeted critical infrastructure providers in the U.S. and Guam, according to Microsoft researchers. The major industries targeted by the actor include communications, manufacturing, utilities, transportation, construction, IT, education and government.
“Adversaries frequently target critical infrastructure to perform reconnaissance and eventually gain a foothold in the event of an escalation in tension, or in the worst case war, the adversary can disable parts of a country’s infrastructure,” Tom Winston, director of intelligence content at Dragos, said via email.
Researchers from Mandiant said they recognize the hackers from prior campaigns involving air, maritime and land transportation targets. The new activity could be in preparation for disruptive or destructive cyberattacks.
“Preparation does not mean attacks are inevitable,” said John Hultquist, chief analyst, Mandiant Intelligence, Google Cloud. “States conduct long-term intrusions into critical infrastructure to prepare for possible conflict, because it simply may be too late to gain access when conflict arises.”
Microsoft said it has directly notified customers who were targeted or compromised.
After gaining access through the Fortinet devices, the hackers try to leverage any privilege from those devices and then remove credentials over to an Active Directory account, according to Microsoft. The credentials are then used to authenticate to other devices. Fortinet officials could not be immediately reached for comment.
Microsoft researchers said detecting and mitigating the attacks will be challenging due to the actor’s reliance on active accounts and living-off-the-land binaries. The NSA has published a guide to detect and mitigate living-off-the-land activity.