6 June 2023

Microsoft, CISA, NSA, FBI, and the Five Eyes on the PRC’s Advanced Persistent Threat: Volt Typhoon

DANIEL PEREIRA

In his post earlier this week, OODA Loop Contributor Emilio Iasiello provided the initial coverage of a “cluster of activity” linked to China, targeting networks across U.S. critical infrastructures and Guam: Chinese Cyber Activities Against Critical Infrastructure Raises the Stakes in U.S.-China Relations. As is always the case with Emilio’s weekly contribution here at OODA Loop, it is worth a read. The advisory referenced by Emilio – entitled People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection – dovetails with our analysis in April of the State Department turning its strategic focus towards cyber-threat vectors in Guam, Albania, and Costa Rica.

This People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon or Bronze Silhouette, requires additional coverage – including the geopolitical “big picture” as reported by David Sanger at the NY Times and surfacing mitigation recommendations from the 24-page advisory provided by CISA, NSA, FBI, and the Five Eyes Agencies. Microsoft Threat Intelligence, always top-notch, also contributed to this hunt and discovery: “Microsoft and Secureworks researchers have also released details about the Volt Typhoon (aka Bronze Silhouette) campaigns they detected. They have shared indicators of compromise and mitigation and protection guidance.” (1)

Chinese Malware Hits Systems on Guam. Is Taiwan the Real Target?

The code, which Microsoft said was installed by a Chinese government hacking group, set off alarms because Guam would be a centerpiece of any U.S. military response to a move against Taiwan.

OODA Loop Sponsor

David Sanger’s The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age was included in OODA CEO Matt Devost’s Best Security, Business, and Technology Books of 2018. Sanger is a White House and national security correspondent, and a senior writer for the New York Times. In a 38-year reporting career for The New York Times, Sanger has been on three teams that have won Pulitzer Prizes and has written extensively about the role of cyberconflict in national security.

Volt Typhoon is Sanger’s beat. Following are some of the vital takeaways from his coverage on May 24th:

“Unlike Russian groups, Chinese intelligence and military hackers usually prioritize espionage.”Around the time that the F.B.I. was examining the equipment recovered from the Chinese spy balloon shot down off the South Carolina coast in February, American intelligence agencies and Microsoft detected what they feared was a more worrisome intruder: mysterious computer code appearing in telecommunications systems in Guam and elsewhere in the United States.

The code, which Microsoft said was installed by a Chinese government hacking group, raised alarms because Guam, with its Pacific ports and vast American air base, would be a centerpiece of any American military response to an invasion or blockade of Taiwan.

The operation was conducted with great stealth, sometimes flowing through home routers and other common internet-connected consumer devices, to make the intrusion harder to track.

The code is called a “web shell,” in this case a malicious script that enables remote access to a server. Home routers are particularly vulnerable, especially older models that have not had updated software and protections.

Microsoft on Wednesday published details of the code that would make it possible for corporate users, manufacturers, and others to detect and remove it.

In a coordinated release, the National Security Agency — along with other domestic agencies and counterparts in Australia, Britain, New Zealand and Canada — published a 24-page advisory that referred to Microsoft’s finding and offered broader warnings about a “recently discovered cluster of activity” from China.

Microsoft called the hacking group “Volt Typhoon” and said that it was part of a state-sponsored Chinese effort aimed at not only critical infrastructure such as communications, electric and gas utilities, but also maritime operations and transportation.

The intrusions appeared, for now, to be an espionage campaign. But the Chinese could use the code, which is designed to pierce firewalls, to enable destructive attacks, if they choose.

So far, Microsoft says, there is no evidence that the Chinese group has used the access for any offensive attacks. Unlike Russian groups, Chinese intelligence and military hackers usually prioritize espionage.

U.S. Official Responses to Chinese Cyber Espionage

In interviews, administration officials said they believed the code was part of a vast Chinese intelligence collection effort that spans cyberspace, outer space and, as Americans discovered with the balloon incident, the lower atmosphere:

The Chinese Spy Balloon The Biden administration has declined to discuss what the F.B.I. found as it examined the equipment recovered from the balloon. But the craft — better described as a huge aerial vehicle — apparently included specialized radars and communications interception devices that the F.B.I. has been examining since the balloon was shot down.

It is unclear whether the government’s silence about its finding from the balloon is motivated by a desire to keep the Chinese government from knowing what the United States has learned or to get past the diplomatic breach that followed the incursion.

Speaking at a news conference in Hiroshima, Japan, President Biden referred to how the balloon incident had paralyzed the already frosty exchanges between Washington and Beijing. “And then this silly balloon that was carrying two freight cars’ worth of spying equipment was flying over the United States,” he told reporters, “and it got shot down, and everything changed in terms of talking to one another.” He predicted that relations would “begin to thaw very shortly.”

Office of Personnel Management Breach China has never acknowledged hacking into American networks, even in the biggest example of all: the theft of security clearance files of roughly 22 million Americans — including six million sets of fingerprints — from the Office of Personnel Management during the Obama administration. That exfiltration of data took the better part of a year and resulted in an agreement between President Barack Obama and President Xi Jinping that resulted in a brief decline in malicious Chinese cyber activity.

[in early May]. China sent a warning to its companies to be alert to American hacking. And there has been plenty of that, too: In documents released by Edward Snowden, the former N.S.A. contractor, there was evidence of American efforts to hack into the systems of Huawei, the Chinese telecommunications giant, and military and leadership targets.

The Hunt for and Discovery of the Code – with a Focus on Guam Telecommunications networks are key targets for hackers, and the system in Guam is particularly important to China because military communications often piggyback on commercial networks.

Tom Burt, the executive who oversees Microsoft’s threat intelligence unit, said in an interview that the company’s analysts — many of them veterans of the National Security Agency and other intelligence agencies — had found the code “while investigating intrusion activity impacting a U.S. port.” As they traced back the intrusion, they found other networks that were hit, “including some in the telecommunications sector in Guam.”

The [recent joint advisory] is part of a relatively new U.S. government move to publish such data quickly in hopes of burning operations like the one mounted by the Chinese government. In years past, the United States

usually withheld such information — sometimes classifying it — and shared it with only a select few companies or organizations. But that almost always assured that the hackers could stay well ahead of the government.

In this case, it was the focus on Guam that particularly seized the attention of officials who are assessing China’s capabilities — and its willingness — to attack or choke off Taiwan. Mr. Xi has ordered the People’s Liberation Army to be capable of taking the island by 2027. But the C.I.A. director, William J. Burns, has noted to Congress that the order “does not mean he has decided to conduct an invasion.”

In the dozens of U.S. tabletop exercises conducted in recent years to map out what such an attack might look like, one of China’s first anticipated moves would be to cut off American communications and slow the United States’ ability to respond. So the exercises envision attacks on satellite and ground communications, especially around American installations where military assets would be mobilized.

None is bigger than Guam, where Andersen Air Force Base would be the launching point for many of the Air Force missions to help defend the island, and a Navy port is crucial for American submarines. (2)

People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

Summary

The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.

One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform its objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise. (3)

Download the PDF version of this report (723 KB)

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques


To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

In this blog post, we share information on Volt Typhoon, their campaign targeting critical infrastructure providers, and their tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. At the end of this blog post, we share more mitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks. (4)

Mitigation and protection guidance

Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging. Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts. Suspected compromised accounts or affected systems should be investigated:Identify LSASS dumping and domain controller installation media creation to identify affected accounts.

Examine the activity of compromised accounts for any malicious actions or exposed data.

Close or change credentials for all compromised accounts. Depending on the level of collection activity, many accounts may be affected.

Defending against this campaignMitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.

Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:Block credential stealing from the Windows local security authority subsystem (lsass.exe).Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.Block execution of potentially obfuscated scripts.

Harden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In addition, enable Windows Defender Credential Guard, which is also turned on by default for organizations using the Enterprise edition of Windows 11.

Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors such as those exhibited by Volt Typhoon.

Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.

Indicators of compromise (IOCs)

The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protection to identify past related activity and prevent future attacks against their systems.

Volt Typhoon custom FRP executable (SHA-256):baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642 (4)

Secureworks Counter Threat Unit (CTU) researchers also contributed to this hunt and discovery effort. See Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations.

What Next?

According to David Sanger at the NYT:

Anne Neuberger, the deputy national security adviser for cyber and emerging technology, said that covert efforts “like the activity exposed today are part of what’s driving our focus on the security of telecom networks and the urgency to use trusted vendors” whose equipment has met established cybersecurity standards.

Ms. Neuberger has been spearheading an effort across the federal government to enforce new cybersecurity standards for critical infrastructure. Officials were taken by surprise by the extent of the vulnerabilities in such infrastructure when a Russian ransomware attack on Colonial Pipeline in 2021 interrupted gasoline, diesel and airplane fuel flow on the East Coast. In the wake of the attack, the Biden administration used little-known powers of the Transportation Security Administration — which regulates pipelines — to force private-sector utilities to follow a series of cybersecurity mandates.

Now Ms. Neuberger is driving what she called a “relentless focus on improving the cybersecurity of our pipelines, rail systems, water systems, and other critical services,” including the mandates on cybersecurity practices for these sectors and closer collaboration with companies with “unique visibility” into threats to such infrastructure.

Those firms include Microsoft, Google, Amazon, and many telecommunications firms that can see activity on domestic networks. Intelligence agencies, including the N.S.A., are forbidden by law from operating inside the United States. But the N.S.A. is permitted to publish warnings, as it did on Wednesday, alongside the F.B.I. and the Department of Homeland Security’s Cyber Infrastructure and Security Administration. (2)

No comments: