The UK’s National Cyber Security Centre (NCSC), alongside intelligence agencies from the Anglophone Five Eyes alliance, has issued guidance highlighting a campaign of Chinese state-sponsored activity targeting critical national infrastructure (CNI) networks.
Working alongside Microsoft – which has attributed the campaign of malicious activity to an advanced persistent threat actor it has dubbed Volt Typhoon having recently revised its threat actor naming taxonomy – the intelligence community’s disclosure includes technical indicators of compromise and examples of the tactics, techniques and procedures being used by the group.
“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,” said NCSC operations director Paul Chichester.
“We strongly encourage providers of UK essential services to follow our guidance to help detect this malicious activity and prevent persistent compromise.”
According to Microsoft, Volt Typhoon has been active for approximately two years, and has targeted multiple CNI operators in the US Pacific island territory of Guam, as well as in the US itself. Organisations targeted include communications services providers, manufacturers, utilities, transport operators, construction firms, IT companies, educational institutions and government bodies.
According to The New York Times, the focus on Guam is particularly concerning given the territory’s proximity to Taiwan, and its value to the US in mounting a military response in Taiwan’s defence should China attack it.
Microsoft said that based on the behaviour it has observed, Volt Typhoon “intends to perform espionage and maintain access without being detected for as long as possible”.
It tends to access its victim networks via vulnerable Fortinet FortiGuard devices and subsequently blends into normal network activity by routing its traffic through compromised small and home office network edge devices, including Asus, Cisco, D-Link, Netgear and Zyxel hardware.
Once ensconced in its target network, Volt Typhoon becomes particularly stealthy, using living-off-the-land techniques and binaries (LOLbins) to extract data and credentials. This makes detecting its activity a particularly gruesome challenge for defenders, as LOLbins are “naturally occurring” tools and executables in the operating system used for legitimate purposes.
Marc Burnard, Secureworks senior consultant for information security research and thematic lead for China, said the group – which Secureworks tracks as Bronze Silhouette – has a “consistent focus” on operational security – minimising its footprint, deploying advanced techniques to avoid detection, and using previously compromised infrastructure.
“Think of a spy going undercover, their goal is to blend in and go unnoticed,” he said. “This is exactly what Bronze Silhouette does by mimicking usual network activity. This suggests a level of operational maturity and adherence to a modus operandi that is engineered to reduce the likelihood of the detection and attribution of the group’s intrusion activity.
“The incorporation of operational security, particularly when targeting Western organisations, is consistent with the network compromises that CTU researchers have attributed to Chinese threat groups in recent years,” added Burnard.
“These tradecraft developments have likely been driven by a series of high-profile US Department of Justice indictments of Chinese nationals allegedly involved in cyber espionage activity, public exposures of this type of activity by security vendors, which has likely resulted in increased pressure from leadership within the People’s Republic of China to avoid public scrutiny of its cyber espionage activity.
“China is known to be highly skilled in cyber espionage and Bronze Silhouette spotlights its relentless focus on adaption to pursue their end goal of acquiring sensitive information,” he said.
Guidance
Microsoft said organisations which find themselves affected by Volt Typhoon should immediately close or change credentials on all affected accounts, and examine their activity for any malicious actions or exposed data.
Organisations also have various tools at their disposal to defend against this activity, many of which fall under the category of basic cyber security hygiene. These include:
- Enforcing appropriate multi-factor authentication and credential management policies;
- Reducing the attack surface by enabling rules to block credential stealing, process creations and execution of potentially obfuscated scripts;
- Hardening the Local Security Authority Subsystem Service process by enabling Protective Process Light for LSASS on Windows 11 devices, and Windows Defender Credential Guard if not enabled by default;
- Enabling cloud-delivered protections available via Microsoft Defender Antivirus;
- Running endpoint detection and response in block mode to enable Microsoft Defender for Endpoint to block malicious artefacts even if a non-Microsoft antivirus product has not spotted them.
China hits back
Meanwhile, China’s government has responded angrily to the disclosures, accusing the Five Eyes alliance of waging a campaign of disinformation.
A spokesperson for China’s foreign ministry said the report was “extremely unprofessional” and not backed by sufficient evidence.
