The United States government recently shut down a major China-backed hacking group dubbed “Volt Typhoon” that attacked hundreds of routers and had been working to compromise U.S. cyber infrastructure.
- Volt Typhoon is a state-sponsored hacking group based in China that has been active since at least 2021.
- The group typically focuses on espionage and information gathering.
- It has targeted critical infrastructure organisations in the US, including Guam.
- To achieve their objective, the threat actor puts a strong emphasis on stealth, relying almost exclusively on living-off-the-land techniquesand hands-on-keyboard activity.
- The recurring attack pattern of the Volt Typhoon begins with initial access via exploitation of public-facing devices or services.
- Volt Typhoon employs the comparatively uncommon practice of leveraging preinstalled utilities for most of their victim interactions.
- Compromised small office/home office (SOHO) devices are used by the attackers to proxy communications to and from the affected networks.
- They issue commands via the command line to (1) collect data, including credentials from local and network systems: (2) put the data into an archive file to stage it for exfiltration: and then (3) use the stolen valid credentials to maintain persistence.
- Volt Typhoon was a particularly quiet operator that hid its traffic by routing it through hacked network equipment, like home routers, and carefully expunging evidence of intrusions from the victim’s logs.