A group of Chinese hackers that Microsoft calls “Volt Typhoon” has been big news as of late, with multiple reports being published about their exploits in United States critical infrastructure systems. It turns out that those exploits have been going on for at least five years in some victim environments, according to a new joint warning published by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).
The central theme of these recent reports has been that Volt Typhoon is quietly positioning itself to wreak havoc on US critical infrastructure should a military conflict over Taiwan break out. That premise remains true, but the extent of the campaign and the length of time it has been going on has apparently been underestimated until now. The Chinese hackers have not only been setting up shop in this way since prior to the Covid-19 pandemic, but are also targeting the US’s “Five Eyes” intelligence partners and may similarly be prowling the networks of Canada, Australia and New Zealand.
Chinese hackers have specialized in “living off the land” for half a decade
The report warns that Volt Typhoon has a special interest in a few specific areas of critical infrastructure, all of which could be leveraged to cause real-world chaos and damage: communications, energy, transportation and water/wastewater systems. The Chinese hackers would likely look to knock out electricity and internet, confuse transportation communications systems and possibly even go as far as attempting to cut off or taint water systems should an open conflict take place.
As previous government and Microsoft reports on the group have noted, the Chinese hackers are “anomalous” in their actions as they attempt to establish long-term footholds without really doing anything else (such as espionage-oriented data exfiltration or deployment of malware). The group also appears interested not just in military assets that might come into play in a Pacific theater, but also mainland US attacks that could spill over into Canada’s critical infrastructure.
The new warning documents a specific pattern of reconnaissance and compromise that the Chinese hackers appear to employ in most cases. The group spends a long time doing pre-compromise reconnaissance to map out network architecture and internal organization protocols. Its first penetration move is to seek out compromised credentials, and when it has access it avoids using it outside of known work hours so as to not trigger automated detection of unusual activity. As has been previously documented, the group also very actively scans for network devices with known vulnerabilities (particularly routers and security cameras).
Once the Chinese hackers have an initial foothold in a network, they employ privilege escalation vulnerabilities in the operating system or network services to obtain administrator credentials. Sometimes they stumble into credentials that are improperly stored in public-facing spaces. Whatever the case, administrator access is then used to move to domain controller and other devices via remote access services such as Remote Desktop Protocol. The group eventually extracts the entire Active Directory database from domain controllers and is thought to use offline password cracking tools to break hashes and gain access to even more accounts. But from here the group lays low, in some cases remaining silent for several years.
Critical infrastructure attacks hinge on common use of end-of-life network components
The new warning also delivers a little more detail on how the Chinese hackers select their critical infrastructure targets and hide their traffic. It has been known for some time that they target specific Cisco and Netgear routers known to be vulnerable and past their security patching life, but they also key in on specific vulnerabilities in Fortinet, Ivanti Connect Secure and Citrix models. Their bread-and-butter is in exploiting unpatched documented vulnerabilities, but at times they have deployed zero-days against network devices.
To blend in with normal traffic the Chinese hackers use VPNs, and legitimate but outdated versions of network admin tools in their explorations of networks for further points of exploitation. They rarely deploy malware, but when they do they attempt to obfuscate it by packing it as a more innocent-looking file. In one example case of an unnamed water and wastewater systems company that was penetrated, the attackers connected to the network via a VPN with administrator credentials and then used that access to open an RDP session. Over a period of nine months they gradually moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. This eventually provided them with a critical level of access to water treatment systems, water wells and an electrical substation.
There was also a more concrete example of exactly what the Chinese hackers look for (and plan to do) once they have extensive access to a critical infrastructure system. In one unnamed network they went after diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear. This provides evidence that their focus is on causing physical impacts and damage.
The report advises potentially impacted critical infrastructure companies on a wide range of mitigations. Among the chief recommendations are to conduct an immediate inventory of all organizational IT assets, ensure edge appliances/devices do not have accounts that could provide domain access, and to revoke unnecessary public access to cloud environments.
Paul Laudanski, Director of Security Research at Onapsis, adds: “The advice from the Joint Cybersecurity Advisory in response to this crisis offers a solid framework for security practices like monitoring, patching, and network segmentation, with a focus on emerging threats like the misuse of living off the land binaries. However, it’s crucial to broaden our scope beyond the highlighted areas, as attackers often target overlooked vulnerabilities. Business-critical applications should also be regularly patched and monitored, as they are prime targets for nation-state actors. Additionally, while publicized threats are important, we must remain vigilant against potential decoy attacks that could mask more insidious breaches. Collaborative efforts in information sharing are ongoing, albeit sometimes discreet due to sensitivities. Addressing vulnerabilities beyond the publicly known threats is essential. This includes guarding against the compromise of critical infrastructure applications like SCADA systems, as attacks may serve as diversions amid geopolitical tensions. Therefore, it’s imperative to remain proactive in addressing both known and potential threats.”
Gabrielle Hempel, Customer Solutions Engineer at LogRhythm, notes that while this represents substantial up-front cost it will likely head off even greater costs in the future: “The costs resulting from these attacks on critical infrastructure will be multi-stage: there will be an up-front cost of remediation efforts, including the immediate response, system recovery and replacement, and any regulatory fines and legal costs that may be incurred. There will also be disruption to supply chains, i.e., anyone that is reliant on these systems will also have operational delays in a cascading effect. This may also lead to increased costs for consumers, as disruptions, contractual penalties, and lost revenue can drive up prices of goods and services. The collaborative warning highlights the alarming fact that the same cyber threats are having an impact across the globe. There are numerous opportunities for strengthening international collaboration, including the real-time sharing of information and intelligence, joint research initiatives, and development of unified standards and frameworks for cybersecurity. However, it is also important to stress the importance of developing public-private partnerships not only nationally, but on a global scale in order to truly address vulnerabilities and attacks on critical infrastructure across the board. Because these attacks simultaneously span the globe geographically and organizations from public to private, they need to be addressed across these planes as well.”