Microsoft says it has caught Chinese state-backed hackers siphoning data from critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.
The discovery of Chinese-made cyberespionage malware in Guam is raising eyebrows because the tiny island is considered an important part of a future China/Taiwan military conflict.
“Microsoft assesses with moderate confidence that this [Chinese cyberespionage] campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the software giant said in a note documenting the APT discovery.
The U.S. government’s cybersecurity response agency CISA has issued an urgent bulletin calling attention to the threat actor and providing mitigation guidance, IOCs and other telemetry to help defenders hunt for signs of compromise.
Microsoft has nicknamed the campaign Volt Typhoon and described it as “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery.”
Redmond said the group has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States.
The Chinese government hackers have hit a wide variety of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors.
“The threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft said.
The hacking group breaks into target companies through internet-facing Fortinet FortiGuard devices and latches onto compromised small office/home office (SOHO) routers to obfuscate the source of their activity.
“Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface,” the company said.
“By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.”
According to the report, the group primarily relies on so-called “living-off-the-land” commands to find information on the system, discover additional devices on the network, and exfiltrate data.
Related: Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware Implant
Related: Symantec: Chinese APT Group Targeting Global MSPs
Related: Researchers Spot APTs Targeting Small Business MSPs