Cyber Security News

Chinese Hackers Remain Undetected in US Infrastructure Systems for Five Years

Volt Typhoon, the PRC state-sponsored threat actor, has been discovered to be compromising U.S. critical infrastructure for future crises in case of a conflict with the United States. The CISA has released a security advisory for warning critical infrastructure organizations about their observations of the Volt Typhoon.

Moreover, the security advisory also confirms that Volt Typhoon has also compromised multiple IT environments belonging to several critical infrastructure organizations in industries such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. 

Document
Protect Your Network From Data Breach

Perimeter’s 81 Malware Protection for Network Based Threats

Prevent malware from infecting your network at the delivery stage by intercepting malicious files in transit from their source to the target device’s web browser. .

Chinese Hackers Remain Undetected

The Volt Typhoon uses living off-the-land techniques while targeting critical infrastructures. The threat group also uses valid accounts and operational security to maintain persistent access.

The U.S. authoring agencies confidently stated that the threat actor had access to some victim IT environments for at least 5 years. The threat actor seemed to have performed extensive exploitation reconnaissance to understand the targeted organization and its environments.

Volt Typhoon activity (Source: CISA)

Once after understanding the environment, the threat actor tailors the tactics, techniques, and procedures and allocates their resources according to the victim’s environment to maintain persistence for a long period.

Based on the observations by the U.S. authoring agencies, Volt Typhoon performs the following actions as part of its activity.

  • Extensive reconnaissance for identifying network topologies, security measures, typical user behaviors, and key network and IT staff.
  • Gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connect to the victim’s network via VPN.
  • obtain administrator credentials within the network insecurely stored on a public-facing network appliance.
  • achieves full domain compromise by extracting the Active Directory database
  • using elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets.

CISA provides detailed information about the threat actors’ activities, methodologies, TTPS, mitigations, indicators of compromise, and other information.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.

Recent Posts

AT&T Massive Data Breach – Affecting Nearly All Customers’ Call & Text Records

AT&T, one of the largest telecommunications companies in the United States, has disclosed a significant…

7 hours ago

FishXProxy Fuels Phishing Attacks with Clever Deceptive Attacks

Imagine receiving an email that looks legitimate, down to the last detail. This is the…

10 hours ago

Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.…

11 hours ago

Apple Warns of Users in 98 Countries of Targeted Spyware Attacks

Apple has alerted iPhone users in 98 countries about potential mercenary spyware attacks. This marks…

13 hours ago

Citrix NetScaler ADC & Gateway Impacted by regreSSHion RCE Vulnerability

Qualys discovered a critical remote unauthenticated code execution (RCE) vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd).…

13 hours ago

4000+ Domains Used By FIN7 Actors Mimic Popular Brands

Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA)…

14 hours ago