Microsoft uncovers cyberespionage campaign by Chinese state-backed hackers targeting critical infrastructure organizations in Guam. It is raising concerns about potential disruptions to U.S.-Asia communications during future crises.
Microsoft revealed that Chinese state-backed hackers infiltrated and extracted data from crucial infrastructure organisations in Guam, a significant U.S. territory in the Pacific Ocean. Chinese-developed cyberespionage malware found in Guam raises concerns over its strategic significance in potential military conflicts with Taiwan.
In a detailed note documenting the Advanced Persistent Threat (APT) discovery, Microsoft states, “We assess with moderate confidence that this [Chinese cyberespionage] campaign is pursuing the development of capabilities that could disrupt critical communications infrastructure between the United States and the Asia region during future crises.” This assessment highlights the severity of the situation and the potential consequences of such actions.
CISA acted fast, issuing a bulletin to highlight the danger presented by the hackers. The bulletin offers crucial direction for mitigation, Indicators of Compromise (IOCs), and other valuable telemetry to assist defenders in detecting signs of compromise.
Volt Typhoon: Stealthy and Targeted Malicious Activity
Volt Typhoon, as described by Microsoft, engages in stealthy and targeted malicious operations. The group focuses on post-compromise credential access and network system discovery. The campaign has been active since mid-2021 and has specifically targeted critical infrastructure organizations in Guam, United States.
Chinese government hackers breach various sectors: communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education. Microsoft’s analysis indicates that the threat actors aim to engage in espionage while keeping their access concealed for as much time as they can.a
The hackers exploit weaknesses in Fortinet FortiGuard devices to gain access without permission. They exploit SOHO routers to conceal their activities. Microsoft confirmed that ASUS, Cisco, D-Link, NETGEAR, and Zyxel devices permit HTTP or SSH management interfaces to be exposed to the internet. Owners of network edge devices should safeguard their management interfaces from public internet access to minimise the risk of attacks.
SEE ALSO: Fan Token Provider Funds U.S. Expansion
The Volt Typhoon group employs proxies to boost their stealth and cut down on infrastructure expenses. Their tactics involve using “living-off-the-land” commands to gather system information, find more network devices, and take valuable data.