Chinese National Flag overlaid on micro chip showing Chinese hackers in US critical infrastructure

Microsoft Threat Intelligence: Chinese Hackers Are “Living Off The Land” Inside US Critical Infrastructure

A new report from the Microsoft Threat Intelligence team documents a long-term campaign by China’s “Volt Typhoon” group that has burrowed into a number of different aspects of United States critical infrastructure. The Chinese hackers are focusing on stealthy movement and fileless malware techniques to maintain their foothold, with the eventual goal being the creation of a system of widespread disruption that could be “switched on” during another global crisis or a conflict between the two nations.

State-backed Chinese hackers have burrowed into many aspects of critical infrastructure

Volt Typhoon is a state-backed advanced persistent threat (APT) group that has been active since at least mid-2021 and has been previously observed targeting critical infrastructure firms for espionage in the US and Guam.

The Chinese hackers specialize in “living off the land” techniques, or those that focus on compromise via more ephemeral scripts rather than files that end up saved to a local drive and subject to detection by cyber defense systems. At the moment, the goal is to linger as long as possible and quietly exfiltrate confidential information and credentials. But the Microsoft researchers believe there is an additional long-term goal, an embedded network of sabotage throughout the country that can be quickly activated if conditions favor it.

Volt Typhoon also has a clear favorite approach: compromise of internet-facing Fortinet FortiGuard devices via known vulnerabilities. The attackers will make use of any privileges that the compromised device possesses to extract credentials and attempt to authenticate other devices on the network with them.

The group attempts to evade detection by rarely using malware and mostly sticking to using whatever authorized employee credentials it can capture, though the report says that the Chinese hackers will occasionally create proxies on compromised systems when they lack other means. This is the best chance of spotting them, as C2 activity from odd IP addresses will show up in system logs. The group additionally has a network of numerous compromised home and small office routers, all using known vulnerabilities in the products of major manufacturers, and funnels traffic through these to help it appear to be legitimate.

Microsoft says that the Chinese hackers now represent one of the largest organized campaigns targeting US critical infrastructure. For its part, China denies that it does any hacking of US computers (as it always does) and claims that the Microsoft report is part of a disinformation campaign. Cisco has stepped forward to report that it believes it has found evidence of the group targeting an unspecified critical infrastructure facility, when it was called in to investigate suspicious activity centered on building design documents.

Weifeng Zhong, Senior Research Fellow with Mercatus Center, notes that this report is in keeping with recent observations about China’s apparent intentions: “It’s telling that the Chinese hackers intended to “maintain access without being detected for as long as possible” The CCP plays the long game even in cyber warfare. Our research last year revealed a consistent effort of Beijing’s for over a decade in tracking strategically important places in Taiwan, including critical infrastructure on the island. The fact that bad actors in China didn’t immediately act the sensitive information it harvested is even more concerning because that means Beijing is intentional and persistent, as with its plan to eventually take over Taiwan. Policymakers in Washington have long been sluggish to harden our cyberspace and punish bad actors in China. That needs to change now.”

US critical infrastructure under pressure as Biden administration pushes cybersecurity improvements

Microsoft says that the Chinese hackers have been particularly active in the US and its territories since early this year, about the time that controversy was swirling over suspected spy balloons from China floating over the country. A February attack on Guam and a number of US mainland locations was thought to be a potential test run for actions against critical infrastructure in Taiwan and allied nations should military conflict arise.

The US has changed its policy since the spy balloon incident, rapidly disseminating information about the activities of Chinese hackers to the public rather than sitting on it and sharing it only with select defense partners in private. The Biden administration has also made the improvement of national critical infrastructure defenses a priority via a series of executive orders and federal agency policy changes, something that kicked off in 2021 after the Colonial Pipeline and JBS attacks.

The 24-page Microsoft report serves as an excellent illustration of how difficult it is to detect an advanced attacker that has mastered the art of blending in with the sort of legitimate traffic that does not trip alarms.

Craig Jones, Vice President of Security Operations at Ontinue, notes that China has now likely taken the mantle from Russia as the most serious and advanced cyber threat that Western countries face: “China’s cyber threat landscape presents a distinct challenge due to the country’s state-sponsored cyber operations and their focus on various objectives, including cyber espionage, financial gain, and potential destructive capabilities. Notably, China-backed APT groups demonstrate advanced capabilities, leveraging custom malware and tools to evade detection. Their involvement in intellectual property theft and the exploitation of supply chain vulnerabilities further underscores their strategic approach. Moreover, China’s proficiency in utilizing zero-day exploits adds another layer of complexity to their cyber activities. As the cybersecurity landscape continues to evolve, addressing China’s utilization of zero-day attacks remains a crucial aspect of bolstering defenses and safeguarding against emerging threats.”

Eric Noonan, CEO at CyberSheath, concurs and believes that China’s full cyber capability will not be understood until it is deployed in a military conflict situation: “The concern here is that China will be more effective than Russia was in Ukraine in utilizing forward deployed cyber weapons that they can activate at a time and place of their choosing. The real risk here is the ability for China to embed into critical infrastructure systems across the globe simultaneously, and activate their malicious cyber capability when it suits their national interest. The silver lining here is the obvious globally coordinated threat information sharing capability across many democratic countries with an interest in defending themselves against China cyber aggression.”

However, Roy Akerman (Co-Founder & CEO at Rezonate) notes that while the Chinese hackers are sophisticated and skillful, the techniques outlined in the report are not innovative: “While described as novel, the TTPs mentioned in the report have been used for years. Webshells, Living-off-the-Land, command line, proxies for exfiltration. IOCs extracted are valuable but unfortunately have a short shelf life as attackers evolve their infrastructure. The report coming from CISA and NSA provide a fantastic insight on the techniques however you can also clearly identify where traditional EDR solutions will fall short against LOLBin use and how a layered defense approach is critical to augment and further provide critical context.”

Fortunately, the Microsoft researchers also provide quite a bit of advice for defending against and mitigating the impact of the Chinese hackers. Of course, the implementation of multi-factor authentication (MFA) leads the list, but this stock advice is particularly pertinent here given the reliance on stolen credentials to maintain a long-term under-the-radar presence. Similarly, pruning dead or “decaying” accounts and setting password expiration dates helps to limit the possibilities.

Some specific advice for reducing the attack surface also includes blocking process creations originating from PSExec and WMI commands and credential stealing from the LSASS process wherever possible (when it does not cause compatibility issues), enable Windows Defender Credential Guard (not enabled by default unless an organization is running Windows 11 Enterprise edition), and run endpoint detection and response (EDR) in block mode.