Microsoft has announced that Volt Typhoon, a Chinese state-sponsored actor, is targeting critical infrastructure organizations in the United States. The company said that Volt Typhoon is developing capabilities to disrupt critical communications infrastructure between the US and Asia - a capability that could come in handy during a crisis involving China.
The malicious campaign has been going on since mid-2021 and is targeting organizations in Guam and the rest of the United States. Affected companies span multiple sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint will let users know if they have been compromised by Volt Typhoon. On Microsoft Defender Antivirus, the following are related to Volt Typhoon:
- Behavior:Win32/SuspNtdsUtilUsage.A
- Behavior:Win32/SuspPowershellExec.E
- Behavior:Win32/SuspRemoteCmdCommandParent.A
- Behavior:Win32/UNCFilePathOperation
- Behavior:Win32/VSSAmsiCaller.A
- Behavior:Win32/WinrsCommand.A
- Behavior:Win32/WmiSuspProcExec.J!se
- Behavior:Win32/WmicRemote.A
- Behavior:Win32/WmiprvseRemoteProc.B
If you use Microsoft Defender for Endpoint, you will see the following alert:
- Volt Typhoon threat actor detected
Volt Typhoon may also cause the following prompts on Microsoft Defender for Endpoint but it’s not necessarily the cause:
- A machine was configured to forward traffic to a non-local address
- Ntdsutil collecting Active Directory information
- Password hashes dumped from LSASS memory
- Suspicious use of wmic.exe to execute code
- Impacket toolkit
If you’ve been affected by Volt Typhoon, you should close or change the credentials for all compromised accounts. It is also advised that users examine the activity of compromised accounts to see what hackers may have done.
If you don’t have the appropriate security measures in place, you may never know that the hackers were ever in your system. Microsoft said that the campaign is being done stealthily, including by blending into normal network activity by routing traffic through network equipment such as routers, firewalls, and VPN hardware.
Microsoft has detailed extensively the Volt Typhoon activity. If you are interested in digging into the more technical details, be sure to read Microsoft’s blog post.
- Adenman and alf9872000
- 2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.