The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), the FBI, and international cybersecurity agencies issued a joint cybersecurity advisory to highlight a recently discovered cluster of cyber activity linked to a People’s Republic of China (PRC) state-sponsored cyber actor dubbed Volt Typhoon.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) collaborated with CISA, NSA, and the FBI to publish the joint cybersecurity advisory.
The advisory details Volt Typhoon’s signature techniques and attack patterns; including living off the land, which uses built-in network administration tools to perform the group’s objectives.
Among its defining traits, Volt Typhoon infiltrates private networks by blending in with normal Windows system activities to avoid detection and response products that would alert to the introduction of third-party applications and limit the amount of activity that is captured in default logging configurations.
Some of the built-in tools this actor uses are wmic, ntdsutil, netsh, and PowerShell, the agencies said.
Along with the advisory, the agencies released a larger document providing specific examples of codes Volt Typhoon used in infected networks. It also contains best practices surrounding investigating potentially malicious findings in private networks.
“Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior,” the document states.
The advisory builds on Microsoft and other private sector partners’ initial warnings about Volt Typhoon. It highlights the ongoing and growing threat state-sponsored cyber actors pose to U.S. critical infrastructure operations.
According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. The organizations affected by Volt Typhoon span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.