It has been found that the PRC state-sponsored threat actor, Volt Typhoon, is jeopardizing vital infrastructure in the United States for potential future crises in the event of a confrontation with the United States. Critical infrastructure enterprises should take note of the security recommendation issued by the CISA regarding their observations of the Volt Typhoon.
Furthermore, the security advisory verifies that Volt Typhoon has also breached numerous IT environments that are part of numerous critical infrastructure organizations in the continental & non-continental United States as well as its territories & industries like communications, energy, etc.
Chinese Hackers Remain Undetected
The Volt Typhoon targets vital facilities while employing off-the-grid living methods. To keep ongoing access, the attack group also makes use of operational security and legitimate accounts. The threat actor had access to some victim IT settings for at least five years, according to the U.S. government agencies, who asserted this with confidence. It appeared that the threat actor had done a great deal of exploitation reconnaissance to learn about the settings and the targeted company.
Once the threat actor has a good awareness of the environment, he or she can modify tactics, processes, and resource allocation to fit the victim's surroundings and sustain persistence over an extended length of time. The following activities are carried out by Volt Typhoon as part of its activity, according to observations made by the US writing agencies.
- Thorough reconnaissance to find important network and IT personnel, normal user habits, security protocols, and network topologies.
- First gain access to the IT network by taking advantage of known or undiscovered flaws in network equipment with an external facing profile (such as firewalls & VPNs), and then establish a VPN connection to the victim's network.
- Acquire administrator credentials from a publicly accessible network appliance that is insecurely stored on the network.
- Extract the Active Directory database to achieve full domain breach.
- Using higher credentials for further investigation and strategic network infiltration, frequently to obtain the ability to access OT assets.
CISA offers comprehensive details regarding the methods, TTPS, mitigations, signs of compromise, and other information about the activities of threat actors.