Disclaimer: Copyright infringement not intended.

Context

FBI shuts down China’s ‘Volt Typhoon’ hackers targeting U.S. infrastructure

Details

Volt Typhoon

• The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that compromised thousands of internet-connected devices.
• While the Volt Typhoon campaign initially came to light in May 2023, the hackers expanded the scope of their operations late last year and changed some of their techniques
• It is a state-sponsored hacking group based in China that has been active since at least 2021.
• Volt Typhoon has functioned by taking control of vulnerable digital devices around the world - such as routers, modems, and even internet-connected security cameras - to hide later, downstream attacks into more sensitive targets
• To achieve their objective, the threat actor puts strong emphasis on stealth, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity.
• The recurring attack pattern of Volt Typhoon begins with initial access via exploitation of public-facing devices or services.
• Volt Typhoon employs the comparatively uncommon practice of leveraging preinstalled utilities for most of their victim interactions.
• Compromised small office/home office (SOHO) devices are used by the attackers to proxy communications to and from the affected networks.
• The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities.
• They issue commands via the command line to (1) collect data, including credentials from local and network systems: (2) put the data into an archive file to stage it for exfiltration: and then (3) use the stolen valid credentials to maintain persistence.
• Volt Typhoon was a particularly quiet operator that hid its traffic by routing it through hacked network equipment, like home routers, and carefully expunging evidence of intrusions from the victim’s logs.
• This combination of behaviors makes detection especially difficult, as defenders must be able to differentiate between attacker activities and those of power users or administrative staff.

What is critical infrastructure?

• Critical infrastructure is the collection of systems, networks and public works that a government considers essential to its functioning and safety of its citizens.
• The specific infrastructure that each nation considers critical varies. It usually includes electrical grids, public services and communication systems. Special attention must be given to protect critical infrastructure from cyber attacks.

Download PDF