The F.B.I. was alerted to possible espionage efforts by the Chinese when unsourced computer code began showing up in telecommunications systems in Guam, a United States territory since 1950, according to the New York Times. An unnamed blogger at Microsoft Security issued an alert on Wednesday saying a state-sponsored company called Volt Typhoon was responsible for the breach which required creating a “web shell” that enables remote access to a server.
Inside Towers issued the following Bulletin on the report by Microsoft yesterday:
In a Microsoft Security blog post, the company said the attack is being carried out by Volt Typhoon, a government-backed actor based in China that typically focuses on espionage and information gathering and is “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”
Microsoft said Volt Typhoon has targeted critical infrastructure organizations in Guam and elsewhere in the United States since 2021.
“To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity,” the blog post stated. “They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.”
Barron’s reported a response from the Chinese government that denied the allegations, saying the Microsoft report was both “extremely unprofessional” and a “scissors-and-paste work.”
“It is clear that this is a collective disinformation campaign of the Five Eyes coalition countries, initiated by the U.S. for its geopolitical purposes,” foreign ministry spokeswoman Mao Ning said, according to Barron’s.
Microsoft provided details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks. The National Security Agency has also published a Cybersecurity Advisory which contains a guide for the tactics, techniques, and procedures discussed in its blog entitled, “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection.”