n the dynamic realm of cybersecurity, a novel menace has emerged, creating a wave of apprehension. Microsoft has identified and dubbed this threat as ‘Volt Typhoon’, a state-sponsored Chinese hacking entity that is raising alarms in the cybersecurity community. Their intriguing strategy? They exploit legal tools and techniques within organizations to remain undetected and execute their attacks, a method known as “living off the land”.
Decrypting Volt Typhoon’s Modus Operandi
From mid-2021 onwards, Volt Typhoon has been operational, setting its sights on essential cyber infrastructure across a range of sectors, including government and communications organizations. The hackers’ main target is the disruption of critical communication links between the United States and Asia, with a particular focus on Guam’s communication infrastructure, a critical strategic point for the American military in the event of a Taiwanese invasion.
Living off the Land: Volt Typhoon predominantly relies on “living-off-the-land” techniques and direct keyboard activity, using built-in commands to collect data, including credentials from local and network systems, and then staging the data for exfiltration. To blend into normal network activity, they route traffic through compromised small office/home office (SOHO) network equipment, including routers, firewalls, and VPN hardware, and use custom versions of open-source tools to establish a command and control (C2) channel over proxy.
Initial Access: The hackers gain initial access through internet-facing Fortinet FortiGuard devices. Once they gain access, they try to extract credentials to an Active Directory account used by the device and then attempt to authenticate to other devices on the network with those credentials. They also enhance their operations’ stealth by proxying their network traffic through compromised SOHO network edge devices.
Post-Compromise Activity: Once they gain access to a target environment, they conduct hands-on-keyboard activity via the command line, utilizing living-off-the-land commands to find system information, discover additional devices on the network, and exfiltrate data.
Credential Access: If the compromised account has privileged access, Volt Typhoon attempts to dump credentials through the Local Security Authority Subsystem Service (LSASS), which contains hashes for the current user’s operating system (OS) credentials. They also use the command-line tool Ntdsutil.exe to create installation media from domain controllers, enabling them to crack usernames and password hashes offline and regain access to a compromised organization if they lose it.
System Discovery: Volt Typhoon is observed discovering system information, including file system types, drive names, size, free space, running processes, and open networks. They also attempt to discover other systems on the compromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and the ping command.
Data Collection: In addition to OS and domain credentials, the group dumps information from local web browser applications and stages collected data in password-protected archives.
Command and Control: In most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. However, they sometimes create proxies on compromised systems to facilitate access using the built-in netsh portproxy command. They also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy.
Potential Impact on Critical Infrastructure Security
The emergence of Volt Typhoon underscores the intensifying threat surrounding critical infrastructure. Their focus spans critical sectors, such as communications, transport, maritime industries, and government organizations. Their actions pose a significant threat to American intellectual property, and by remaining undetected for as long as possible, they can perform espionage and maintain access to compromised systems.
The stealth tactics employed by Volt Typhoon necessitate a robust multi-faceted defense strategy. This includes:
- Implementing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator.
- Enforcing passwordless sign-in, password expiration rules, and deactivating unused accounts.
- Reducing the attack surface by blocking credential stealing from the Windows local security authority subsystem (lsass.exe) and blocking process creations originating from PSExec and WMI commands.
- Blocking execution of potentially obfuscated scripts.
- Hardening the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices and enabling Windows Defender Credential Guard.
- Turning on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors such as those exhibited by Volt Typhoon.
- Running endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode.
In the event of a compromise:
- Close or change credentials for all compromised accounts. Depending on the level of collection activity, many accounts may be affected. Identify LSASS dumping and domain controller installation media creation to identify affected accounts.
- Examine the activity of compromised accounts for any malicious actions or exposed data.
By staying vigilant and implementing robust security measures, organizations can safeguard themselves against the sophisticated techniques of state-sponsored actors like Volt Typhoon. As the cyber landscape continues to evolve, it is essential to remain aware of emerging threats and adapt our defenses accordingly.