Microsoft claims to have uncovered stealthy and targeted cyber-attacks aimed at critical utility infrastructure in the US, making use of Living-off-the-Land (LotL) to avoid detection.
According to the software giant, the malicious activity focused on “post-compromise credential access and network system discovery” aimed at the utility, communications, manufacturing, transportation, construction, maritime, government, information technology and education sectors.
Microsoft claimed the attack – part of a campaign to develop capabilities that can disrupt critical communications between the US and Asia region – via a blog article published last week, naming the responsible agent Volt Typhoon, which they state has been active since 2021.
To achieve their objective, stated Microsoft, the threat actor puts strong emphasis on stealth, relying almost exclusively on LotL techniques, as well as hands-on-keyboard activity, which sees commands executed by actual human hands, rather than through programmes.
In a Joint Cybersecurity Advisory issued on the same day as Microsoft’s blog by the US Cybersecurity and Infrastructure Security Agency (CISA), LofL techniques are primarily used by People’s Republic of China (PRC) agents as it allows easy avoidance of detection:
“By using legitimate network administration tools, the actor blends in with normal system and network activities, avoids identification by many endpoint detection and response products and limits the amount of activity that is captured in common logging configurations.”
Observed behaviour, according to Microsoft, suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.
Microsoft adds how, through these two methods, the hackers would issue commands via the command line to:
- Collect data, including credentials from local and network systems
- Put the data into an archive file to stage it for exfiltration
- Use the stolen valid credentials to maintain persistence
In addition, alleges Microsoft, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised Small Office and Home Office (SOHO) network equipment, including routers, firewalls and VPN hardware.
Details on the specific utility infrastructure that was targeted, as well as potential repercussions, have not been released, although Guam – where the US military has a significant presence – was named as a target since mid-2021.
In a press-issued statement, CISA director Jen Easterly commented, “For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organisations around the globe. Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure…We must work together to ensure the security and resilience of our critical infrastructure.”
According to CrowdStrike’s 2022 Global Threat Report, 62% of attackers are using LotL tools or techniques in their attacks.
Microsoft has also, they stated last week, directly notified targeted or compromised customers, providing them with the information needed to secure their environments.