The US government said on Wednesday that the Chinese state-sponsored hacking group known as Volt Typhoon it had been incorporated into some critical infrastructure networks in the country for at least five years.
The threat actor’s targets include the communications, energy, transportation, and water and wastewater systems sectors in the United States and Guam.
“The choice of targets and behavior pattern of Volt Typhoon is not consistent with traditional cyber espionage or intelligence gathering operations, and US research agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to allow lateral movement to OT assets to disrupt functions,” the US government said.
The joint advisory, released by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), was also supported by other nations that are part of the Five Eyes (FVEY) ) intelligence alliance comprising Australia, Canada, New Zealand and the United Kingdom
Volt Typhoon – also called Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda or Voltzite – a stealthy cyber espionage group based in China believed to be active since June 2021.
It first came to light in May 2023, when Microsoft revealed that the hacking team managed to establish a persistent foothold in critical infrastructure organizations in the United States and Guam for long periods of time without detection, primarily exploiting life above ground (LotL) techniques.
“This type of profession, known as ‘living off the land’, allows attackers to operate discreetly, with malicious activities that merge with legitimate behavior of systems and networks making differentiation difficult, even by organizations with attitudes of more mature security,” the UK said. This was stated by the National Center for Cyber Security (NCSC).
Another distinctive tactic employed by Volt Typhoon is the use of multi-hop proxies such as KV-botnet to route malicious traffic through a network of compromised routers and firewalls in the United States to disguise its true origins.
Cybersecurity firm CrowdStrike, in a report published in June 2023, highlighted its reliance on a vast arsenal of open source tools against a narrow group of victims to achieve its strategic objectives.
“Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; adapt their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after the initial compromise,” the agencies noted.
“The group also relies on valid accounts and leverages strong operational security, which combined allows for long-term unknown persistence.”
Additionally, the nation-state has been observed attempting to gain administrator credentials within the network by exploiting privilege escalation flaws, subsequently leveraging elevated access to facilitate lateral movement, reconnaissance, and domain-wide compromise .
The campaign’s ultimate goal is to maintain access to compromised environments, “methodically” redirecting them over years to validate and expand their unauthorized access. This meticulous approach, according to the agencies, is evident in cases where they have repeatedly exfiltrated domain credentials to grant access to current, valid accounts.
“In addition to exploiting stolen account credentials, the perpetrators use LOTL techniques and avoid leaving malware artifacts on systems that could cause alerts,” CISA, FBI and NSA said.
“Their strong focus on stealth and operational security allows them to maintain long-term persistence, without being detected. Additionally, Volt Typhoon operational security is enhanced by targeted log deletion to hide their actions within the ‘compromised environment.”
The development comes as Citizen Lab revealed a network of at least 123 websites posing as local news outlets in 30 countries across Europe, Asia and Latin America that are promoting pro-China content in a widespread influence campaign linked to a corporate public relations agency in Beijing called Shenzhen. Haimaiyunxiang Media Co., Ltd.
The Toronto-based digital watchdog, which has dubbed the influence operation PAPERWALL, said it shares similarities with HaiEnergy, albeit with different operators and unique TTPs.
“A central feature of PAPERWALL, observed across the network of websites, is the ephemeral nature of its most aggressive components, whereby articles attacking Beijing’s critics are routinely removed from these sites sometime after their publication,” Citizen Lab said.
In a statement shared with Reuters, a spokesperson for the Chinese Embassy in Washington said that “it is a typical bias and double standard to claim that pro-China content and reports are ‘disinformation’ and call anti-China content real information.” .””