Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.
The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.
To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.
Volt Typhoon is targeting critical infrastructure providers, and using tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging.
Compromised accounts must be closed or changed. At the end of this blog post, we share more mitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks. The National Security Agency (NSA) has also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and procedures (TTPs) discussed in this blog.
+1 #ALERT!!! — MECHENG2023-05-25 14:41
In Pewaukee, WI. Second day in a row Blackhawk landed at a very small airport, no jets only piper cub planes and ultra lights. NO TRANSPONDER on Blackhawk. Flew by my window, did a ADS flight tracker, no ID. Same time about 13:35.
Has anyone seen activity of Blackhawks at tiny airports? Very concerned.
##ALERT!!! — AMB19702023-05-26 01:39
Yes, Piedmont, SC. Blackhawks have been on a regular schedule at our small airport for months. As well as planes from Mexico (coming out of Texas) landing in the middle of the night at same small airport that supposedly closes at dusk.
We are extremely concerned over the activity.
#RE: ALERT!!! — PrivateJohn3:162023-05-25 15:25
I am near a tiny airport that is primarily used for training amateur pilots. It is in between two regional airports. Each of these airports mentioned is in a different state in a tristate area. I have noticed a very high uptick in activity. Wright Patterson is a couple hours away, also, but I am not close enough to monitor Wright Patt. I am just a local who has lived here since birth, and I am able to say very confidently that activity has highly increased. I hear the planes, I see them. Some are commercial, some are not. I see what I’m assuming are news helicopters closer to the ground. I haven’t seen any Blackhawks yet.
+1 #ALERT!!! — MECHENG2023-05-25 16:03
The little airport is right next to a major east west divided HWY. Memorial Weekend, just strange and concerning.
+2 #Fear…always more fear… — WilliamtheResolute2023-05-25 08:32
My government working to protect me…I doubt it.
+3 #Powers going out — Srmay722023-05-25 08:02
East central Indiana our power company is working full speed they bought tons of new transformers all sizes they don’t have any new service scheduled one substation has hundreds of new transformers sitting there yesterday loads of HUGE SUBSTATION TRANSFORMERS CAME I DO BELIEVE SOMETHING “BIG” COMING THAT WILL BURN DOWN THE GRID AND THEN BLAME CHINA
#US Moves to Pull Chinese Equipment From Its Power Grid — paulattahoe2023-05-25 17:15
This has been going on since 2020. The Chinese transformers are made to be very easily hacked from offshore.
+1 #Hmmmm — firstname.lastname@example.org 09:49
That’s not an “overnight “ kind of purchase….like nuts & bolts. There is a considerable lag time between ordering and delivery of transformers. Doesn’t that imply…someone knew something for sometime now.
+6 #RE: ALERT ISSUED: China CCP Attacking Communications Infrastructure in USA — RAFO2023-05-25 07:11
Microsoft is reporting this?? They’re reporting on what a Chinese company is doing?? All these globalists are in the same bed. Sorry, but something’s rotten in Denmark. I don’t trust big Bill’s company to tell me the truth about anything!
-1 #Not that bad — email@example.com 06:08
This CISA announcement is not that bad really. The APT group is only able to penetrate SOHO firewalls, not corporate-grade ones. Living off the land is easy with stolen creds, but unless it is a firewall administrator’s so they can reconfigure the firewall (which also would set off alarms) they would have a very hard time getting any data out of a protected network. There are ways like DNS tunneling and such, but I see no way worse threats than this literally every day. Just sayin..
+2 #RE: ALERT ISSUED: China CCP Attacking Communications Infrastructure in USA — PrivateJohn3:162023-05-25 05:11
Why is this occurring at the same time that the 50 satellite phones are given to senators? All were offered them, supposedly, half took them. Is there a connection there, literally? A direct line? To take commands, perhaps? To give intel?
+11 #Hal Turner — PrivateJohn3:162023-05-25 04:13
I believe your previous Biblical post led some to Jesus Christ, between yourself and your subscribers. I felt the Holy Spirit many times as a result of reading the comments. This is the Great Commission, the work the Lord requested of us, to spread the Gospel. By using the tools of our generation, we truly spread the Gospel. I genuinely smiled today for the first time in many years, the kind that made my face vibrate and shine with joy. Congratulations to you, Hal Turner, for opening some to God. May God have mercy on us all, and spare as many as is His will, in the name of Jesus Christ. His name will become illegal, so write it in your hearts.
+1 #Wtf — drywall1812023-05-24 23:24
At the edge in Russia, Poland threatens to enter Belarus, Germany going to ship long range missel, and we get this? And Tina Turner?
+1 #RE: Wtf — PrivateJohn3:162023-05-25 04:15
It’s a scrimmage, not the game.
+4 #WAKE ME WHEN IT’S OVER — zoochman2023-05-24 21:21
What other data could China want other than TIK TOK and language interpreters? Anyone who still has money in a bank is a fool and really, who needs a phone anyways? With police defunded, you’re really on your own.
#RE: WAKE ME WHEN IT’S OVER — PrivateJohn3:162023-05-25 05:30
+11 #Everybody does this. — Chappyusa12023-05-24 20:59
Trust me, USA does it too. Russia does it. They all do. Nothing new under the sun.
+5 #cheaters cheaters — my-boss2023-05-24 21:08
you got that right, lets hope the chinese screw up microsoft
+4 #Can we get a dumbed down version of what this all means — jddonahey19902023-05-24 20:46
Sum it up for me. I don’t get it. In all fairness I had to stop reading multiple times because my kids needed things but yeah.
+2 #?? — la05082023-05-24 20:34
And we know this isn’t a false flag how? Interesting that we have already passed out free sat phones to the people who count. And told them to get into a bunker. I’m not saying something might not be going on, just questioning the source. Manufacturing consent and all. Getting us ready for something we wouldn’t otherwise agree to.
+2 #RE: ?? — PrivateJohn3:162023-05-25 04:32
I think if there’s an occurrence in US, it’s ff. Blamed on another.
+4 #Micro$oft — unixguru242023-05-24 20:00
Also runs the software that most of our 911 centers use as well. Worth noting. I’m sure they are into other stuff that we wouldn’t know about. Makes ya kinda feel all warm and fuzzy doesn’t it?
-5 #█▓▒░ warm and fuzzy guru ░▒▓█ — Palehorse2023-05-24 21:30
warm and fuzzy
Kind of making a fool of yourself.
+18 #All Microsoft is doing….. — Jdr2119712023-05-24 19:56
All Microsoft is doing is allowing the Chicoms to do as they wish, but calling them out so as to have plausible deniability down the road.
+10 #RE: All Microsoft is doing….. — d_72023-05-24 20:00
+4 #RE: ALERT ISSUED: China CCP Attacking Communications Infrastructure in USA — d_72023-05-24 19:47
if an individual or business (or otherwise) runs their communications off a microsoft anything, there is one, and one word alone, for it
+13 #Any updates on… — dave09756442023-05-24 19:34
all the top US gov officials and congresscum
heading for their bunkers this weekend???
#Not mine — Jessiebeaner2023-05-24 23:22
He is working
+3 #RE: Any updates on… — firstname.lastname@example.org 19:46
Seems some state level “scum” have also been tapped to join in this exclusive jaunt…
#Which — Ted2023-05-24 21:10
Ones do you know of, Rivka?
#RE: Which — email@example.com 00:07
Several prominent dem governors but I’m sure they will deny if questioned….we’ll see if they are noticeably absent from public appearances over the holiday weekend, that should be telling…
#RE: ALERT ISSUED: China CCP Attacking Communications Infrastructure in USA — Stefanjunior2023-05-24 19:15
In the past, whatever US accused China or any other country of doing something shady it was a lie and it was the US that was actually doing that. Back in early 2000’s some save screen software allegedly had Chinese hacking Spyware in it was actually done by the US. Or how about the accusations by US that China, Iran, and every nation US wanted to overthrow was torturing people and all kinds of other nasty stuff? Yeah it was the US running countless secret torture camps around the world, and still do. Say didn’t some US SINators get satellite phones recently just incase? Well looks like we have a new whipping country when this just incase is activated. Remember US is the one who does something and points finger at others, like the fat bully that farted in class and accuses everyone else in the hopes of diverting attention from it self.