ALERT ISSUED: China CCP Attacking Communications Infrastructure in USA

ALERT ISSUED: China CCP Attacking Communications Infrastructure in USA

Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.

The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.

To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

Volt Typhoon is targeting critical infrastructure providers, and using tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging.

Compromised accounts must be closed or changed. At the end of this blog post, we share more mitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks. The National Security Agency (NSA) has also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and procedures (TTPs) discussed in this blog.

Image

This Site Owned and Published by:

 

Harold C. Turner

1906 Paterson Plank Road

Post Office Box 421

North Bergen, NJ   07047

 

LISTENER ON-AIR CALL-IN NUMBER:

201-771-3013

 

Office Tel: 201-484-0900

Email: Hal.Turner@HalTurnerRadioShow.com

Radio Station Info

The Hal Turner Show airs as follows:

Monday-Friday 9:00PM - 10:00PM Eastern US time (GMT-0400) on:

WBCQ Freq. 7490 KHz and 6160 KHz

WRMI Freq. 5950 KHz and 7730 KHz

WWCR Freq. 7520 KHz

NEW!  Satellite Radio (Re-Broadcast) ! ! !

As of Monday, September 30 at 8:00 AM Eastern US Time

Satellite Feed Requirements:

  • KU Band Dish or C Band Dish with KU Feed Horn Digital KU Receiver

Satellite Feed Location Information:

  • Satellite: Galaxy 19
  • Transponder: 5 KU Band
  • Polarity: Vertical
  • Downlink Frequency: 12,177 MHz
  • Symbol Rate: 23,000 Ms/s
  • FEC Rate: 3/4
  • Service Name: Star 3

You can tune to the above specifications and rescan for "Star 3."

 

EMERGENCY BROADCASTS DURING CATASTROPHE (i.e. WW3)

WBCQ on Freq. 7490 and WRMI  on Freq. 7730