Chinese state-sponsored hackers successfully breached US critical infrastructure networks in a “hands-on-keyboard” campaign that made extensive use of living off the land techniques, Five Eyes agencies including the US’s NSA and UK’s NCSC warned today – after being alerted to the campaign by Microsoft.
The group is intent on developing capabilities and access that “could disrupt critical communications infrastructure between the United States and Asia region during future crises” Redmond said.
The group is channelling its command and control (C2) traffic through a network of compromised routers, firewalls, and VPN hardware from a wide range of providers including ASUS, Cisco, D-Link, NETGEAR, and Zyxel.
The intrusion appears to have begun with the breach of internet-facing Fortinet FortiGuard devices. Worryingly, it was not immediately clear if this involved the use of a known vulnerability (Fortinet patched back-to-back critical pre-authentication remote code execution vulnerabilities in late 2022) or a previously unseen zero day.
Microsoft said that it “continues to investigate Volt Typhoon’s methods for gaining access to these devices.”
The Stack has contacted Fortinet for comment.
(Secureworks said in a May 24 post it has been tracking the same group in its incident response call-outs and described other initial threat vectors, saying that in one incident the group gained initial access "by exploiting a vulnerability in an internet-facing ManageEngine ADSelfService Plus server (likely CVE-2021-40539)" and in another the APT had gained "initial access to the compromised organization's single-factor Citrix environment via a domain administrator account. It is unclear how the threat actors obtained these credentials...")
Redmond said that the threat actor, which it dubbed Volt Typhoon, “attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials. Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers).”
Volt Typhoon’s hackers also attempt to dump credentials through the Local Security Authority Subsystem Service (LSASS) – something that, frankly, CNI defenders should have set up systems to render impossible.
Volt Typhoon targets CNI in Guam, US
“Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States” the Microsoft Threat Intelligence team said: “In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible…”
The NSA said: “The actor has used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to: cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.” (Earthworm is a tunneller “considered to be a typical tool for Chinese-speaking actor” as Avast has noted, adding that it had seen it in a compromised national data center, targeted in an unrelated earlier campaign.)
Fortinet picked an unfortunate day to publish its 2023 State of Operational Technology and Cybersecurity Report, which “points to the opportunity for continued improvement for organizations to secure an ever-expanding IT/OT threat landscape” – The Stack has contacted the company for comment.
Microsoft’s blog is here.
The NSA’s detailed look at TTPs, IOCs, hashes et al is here.