Volt Typhoon, a government-sponsored hacker targets to disrupt US-Asia communication during crisis – Microsoft warns

Global technology giant Microsoft has raised alarm bells after detecting that state-sponsored Chinese hackers are using stealth technology that seeks to access and disrupt communication between the United States and the Asia region during crises in the future. The attack is being carried out by Volt Typhoon, a state-sponsored actor based in China.

In a security update on its blog, Microsoft said it “uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States”. The operation “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises”.

The post added that Volt Typhoon has been active since mid-2021 and has “targeted critical infrastructure organizations in Guam and elsewhere in the United States”. These include organizations in the “communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors”.

According to Microsoft, the actor has prioritized stealth and thus relies heavily on the use of “living-off-the-land techniques and hands-on-keyboard activity”. It warned that “Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging”.

Microsoft added that “Volt Typhoon discovering system information, including file system types; drive names, size, and free space; running processes; and open networks. They also attempt to discover other systems on the compromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and the ping command. In a small number of cases, the threat actors run system checks to determine if they are operating within a virtualized environment”.

A joint statement issued by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the United States FBI, the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS) and other Western cyber security agencies also announced defensive mechanisms.