Chinese Hackers Hide in US infrastructure systems for ‘at least five years’

Volt Typhoon, the PRC state-sponsored threat actor, has been discovered to be compromising U.S. critical infrastructure for future crises in case of a conflict with the United States. The CISA has released a security advisory for warning critical infrastructure organizations about their observations of the Volt Typhoon.

Moreover, the security advisory also confirms that Volt Typhoon has also compromised multiple IT environments belonging to several critical infrastructure organizations in industries such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. 

Protect Your Network From Data Breach

Perimeter’s 81 Malware Protection for Network Based Threats

Prevent malware from infecting your network at the delivery stage by intercepting malicious files in transit from their source to the target device’s web browser. .

Chinese Hackers Remain Undetected

The Volt Typhoon uses living off-the-land techniques while targeting critical infrastructures. The threat group also uses valid accounts and operational security to maintain persistent access.

The U.S. authoring agencies confidently stated that the threat actor had access to some victim IT environments for at least 5 years. The threat actor seemed to have performed extensive exploitation reconnaissance to understand the targeted organization and its environments.

Volt Typhoon activity (Source: CISA)
Volt Typhoon activity (Source: CISA)

Once after understanding the environment, the threat actor tailors the tactics, techniques, and procedures and allocates their resources according to the victim’s environment to maintain persistence for a long period.

Based on the observations by the U.S. authoring agencies, Volt Typhoon performs the following actions as part of its activity.

  • Extensive reconnaissance for identifying network topologies, security measures, typical user behaviors, and key network and IT staff. 
  • Gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connect to the victim’s network via VPN.
  • obtain administrator credentials within the network insecurely stored on a public-facing network appliance.
  • achieves full domain compromise by extracting the Active Directory database 
  • using elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets. 

CISA provides detailed information about the threat actors’ activities, methodologies, TTPS, mitigations, indicators of compromise, and other information.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.