Microsoft has discovered covert, harmful activities aimed at getting unauthorized access to sensitive data and systems of key US organizations. This attack is being carried out by Volt Typhoon, a group based in China that typically focuses on spying and information gathering. The concern is that this group is developing skills that could potentially disrupt crucial communication infrastructure between the US and Asia during future emergencies.
Since mid-2021, Volt Typhoon has been targeting vital organizations in the US, including those in Guam. They have affected a range of sectors including communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education. It appears that the group is aiming to spy and remain undetected for as long as possible. Microsoft is highlighting this activity now due to the potential risk to their customers.
To carry out their objectives, Volt Typhoon puts a strong emphasis on stealth. They use computers and systems already in place within the organization to carry out their activities. They use these systems to gather data, including passwords, to further infiltrate the network. They are also good at blending in, making it hard to notice their activities.
The blog post shares information on Volt Typhoon, their targeted campaign, and their methods for unauthorized access. Because this activity relies on legitimate accounts, detecting and stopping this attack can be challenging. Affected accounts must be changed or closed. Microsoft provides steps on how to protect against such attacks and how they are using Microsoft 365 Defender to detect suspicious activity.
Volt Typhoon gets initial access through devices that are connected to the internet. They then use these devices to gain access to more systems within the network. They enhance their stealth by routing traffic through small office and home office network equipment.
Once inside a system, Volt Typhoon conducts exploratory activities to gather information. They rarely use malware but rely on basic commands to extract information and data. They also use valid user credentials to access compromised systems. This makes it hard to distinguish their activities from those of legitimate users.
Microsoft has provided guidance on how to mitigate the risk and protect against such attacks. These include enforcing strong multi-factor authentication (MFA) policies, reducing the attack surface, and strengthening system processes. They also recommend using Microsoft Defender Antivirus and running endpoint detection in block mode for added security.
Microsoft also provides alerts and queries to assist in detecting potential Volt Typhoon activities. It is crucial to be vigilant and take necessary steps to ensure your organization’s security. As part of their process, Microsoft notifies targeted or compromised customers directly, providing them with essential information to secure their environments.
Resources:
Microsoft’s Bulletin:
DoD Advisory Bulletin: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
Leave a Comment