The tech giant uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organisations in the US.

China-sponsored hackers targeting critical US infrastructure: Microsoft

Adriana MaraisMay 26, 23 China, hacking, Microsoft, Privacy, Security

Microsoft has revealed that a state-sponsored Chinese hacker group called Volt Typhoon, which typically focuses on espionage and data collection, has targeted US critical infrastructure.

The tech giant revealed a stealthy and targeted malicious activity focused on post-breach access and network discovery targeting critical infrastructure organizations in the United States.

“The strike was carried out by Volt Typhoon, a state-sponsored actor in China. This campaign aims to develop capabilities that can disrupt critical communications infrastructure between the US and Asia during future crises,” the company said in a blog post late Wednesday.

Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the country.

The influential organizations span the communications, manufacturing, electricity, transport, construction, maritime, government, information technology and education sectors.

“The observed behavior suggests that the threat actor intends to conduct espionage and maintain access undetected for as long as possible,” Microsoft said.

The company said it has directly notified targeted or compromised customers and provided them with important information needed to secure their environment.

Volt Typhoon achieves first access to target organizations with Internet-facing Fortinet FortiGuard appliances.

“A threat actor will attempt to exploit all the privileges provided by the Fortinet device, extract credentials for an Active Directory account used by the device, and then attempt to authenticate to other devices on the network using those credentials,” the team explained.

Once Volt Typhoon enters the target environment, they start performing practical keyboard operations via the command line.

Some of these commands appear to be exploratory or experimental, as operators adjust and repeat them multiple times, Microsoft said.

Volt Typhoon rarely uses malware in post-compromise operations.

“Instead, they rely on offshore commands to discover information about the system, discover additional devices on the network, and filter information. We describe their actions in the following sections, including the most influential actions related to access to credentials,” Microsoft explained.

Read all the Latest Tech News here.