A stealthy group has managed to build a durable foothold in critical infrastructure organizations in the United States and Guam without detection, Microsoft and the Five Eyes countries said Wednesday.
The tech giant's threat intelligence team, under the guise of Volt Typhoon, is tracking these activities, including post-breach credential access and network system discovery.
Focused on espionage and information gathering, the state-backed actor has been active since June 2021 and uses tools installed or built into infected machines to cover its intrusion footprint.
Some prominent target industries include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology and education.
The company further assessed with moderate confidence that the operation was "seeking to develop capabilities that could disrupt critical communications infrastructure between the U.S. and the Asian region during future crises."
A distinguishing feature of these attacks is a "very emphatic" lack of surveillance, relying entirely on "offline" (LotL) techniques to exfiltrate data from local web browser applications and leverage stolen credentials for backdoor access.
The primary goal is to evade detection by coordinating with regular Windows system and network activity, suggesting that the threat actor is deliberately keeping a low profile in order to obtain sensitive information.
"In addition, Volt Typhoon attempted to blend into normal network activity by routing traffic through infected small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware," Microsoft said.
Another unusual espionage technique is to use customized versions of open-source tools to establish command-and-control (C2) channels through proxies and other organizations' infected servers in their C2 proxy networks to hide the source of the attack.
In one incident reported by The New York Times, a hostile group hacked into Guam's telecommunications network and installed a malicious web shell. Guam is a sensitive U.S. military outpost in the Pacific.
The initial intrusion vector involved exploiting an unknown zero-day exploit to exploit internet-facing Fortinet FortiGuard appliances, although Volt Typhoon has also been observed using the weapon exploit on Zoho ManageEngine servers. Access is then abused to steal credentials and break into other devices on the network.
The Windows maker also noted that it directly notified targeted or compromised customers and provided them with the necessary information to protect their environments.
However, it warned that mitigating such risks could be "particularly challenging" when threat actors leverage valid accounts and offline binaries (lolbin) to carry out their attacks.
Secureworks, which monitors the threat group under the name Bronze Silhouette, said the company "carefully considers operational security ... and relies on compromised infrastructure to prevent detection and attribution of its intrusion activities. "
Meanwhile, Reuters has revealed hackers have carried out a series of far-reaching three-year attacks on key Kenyan government ministries and state institutions, allegedly to gain information on "the East African nation's debts to Beijing".
The digital attack is suspected of being launched by backdoor diplomacy (aka APT15, Playful Taurus, or Vixen Panda), which has been targeting government and diplomatic entities in North and South America, Africa, and the Middle East since at least 2010.
Disclaimer: The relevant information in this article comes from Thehackernews, the copyright belongs to the author, and the purpose of reprinting is to convey more information. If there is any infringement, please contact this site to delete.