Microsoft has discovered a China-based hacking group targeting network systems and credential access in Guam and other US territories.
Called Volt Typhoon, the criminals specialize in espionage and associated information-gathering activities aimed against critical infrastructure organizations.
Documented exploits by the hackers show that they operate and maintain compromised access “without being detected for as long as possible.”
Among the victims of attacks are the government, maritime, communications, manufacturing, transportation, information, and education sectors.
Microsoft said it has “moderate confidence” that the group’s campaigns could disrupt vital communication capabilities between the US and Asian regions in a conflict.
Volt Typhoon Behaviors
Microsoft highlighted that the actors can sustain stealth in their assaults by “almost exclusively” relying on the victims’ existing tools and hands-on keyboard approaches.
Volt Typhoon’s usual routine involves deploying malware in computer commands to collect information, such as credentials from local and network systems.
The group then hides the stolen data in an archive for exfiltration and uses the same valid credentials for additional cyberattacks.
Furthermore, Volt Typhoon’s operations blend in with regular network activity by routing internet traffic to compromised small office and home office hardware, such as firewall, router, and virtual private network or VPN equipment.
In other cases, the hackers utilize modified open-source programs to establish command and control channels and hide from discovery over longer periods.
Joint Advisory Released
Simultaneous with Microsoft’s Volt Typhoon report, multinational cyber defense agencies published a joint advisory on the China-backed actors to protect the digital landscape of respective countries.
The documentation characterized the malicious group and released some recorded instances with the criminals’ footprints. Options to counter the hackers were also presented in the paper.