Stealthy initiative to infiltrate key American infrastructure through everyday office equipment in homes
Microsoft researchers have uncovered a state-sponsored threat actor named Volt Typhoon, involved in a malicious cyber campaign. The actor is operating a stealthy campaign that abuses small office, home office (SOHO) routers, firewalls, and VPN devices.
Volt Typhoon has been targeting critical infrastructure providers in the U.S. and Guam, with the new activity suggesting possible preparation for disruptive or destructive cyberattacks. The hackers are using living-off-the-land techniques to blend in with normal Windows activity, evading detection by endpoint detection and response software.
Researchers from Mandiant have recognized the hackers from previous campaigns involving air, maritime, and land transportation targets. After gaining access through compromised Fortinet FortiGuard devices, the hackers attempt to leverage any privilege from those devices and then move credentials over to an Active Directory account.
The major industries targeted by Volt Typhoon include communications, manufacturing, utilities, transportation, construction, IT, education, and government. The hackers are also abusing internet-facing devices from various companies, including ASUS, Cisco, D-Link, Netgear, and Zyxel.
The campaign is designed to disrupt communications with Asia amid growing hostilities with the People's Republic of China. Tom Winston, director of intelligence content at Dragos, stated that adversaries frequently target critical infrastructure to perform reconnaissance and eventually gain a foothold in the event of an escalation in tension or war.
John Hultquist, chief analyst at Mandiant Intelligence, Google Cloud, stated that states conduct long-term intrusions into critical infrastructure to prepare for possible conflict. The Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency, and cyber agencies from the Five Eyes have issued an advisory about the campaign.
Microsoft has directly notified customers who were targeted or compromised in the current campaign. The NSA has published a guide to detect and mitigate living-off-the-land activity. Fortinet officials could not be immediately reached for comment regarding the current campaign.
As the situation develops, it is crucial for organisations to remain vigilant and follow best practices for cybersecurity to protect their systems and data.
Read also:
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Auto industry giants Fescaro and TUV Nord team up for cybersecurity certification in automobiles
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
- International marketing firm We Are Social intensifies global strategy for gaming industry
