Critical US Infrastructure Targeted by Chinese State-Backed Hackers: Microsoft

On Wednesday, Microsoft issued a warning regarding the compromise of “critical” cyberinfrastructure in the United States by Chinese state-sponsored hackers.

According to Microsoft’s advisory, a hacking group known as “Volt Typhoon” has been active since mid-2021.

Their primary objective is to gather intelligence by targeting various industries.

Microsoft further highlighted that the group is specifically focused on disrupting vital communication infrastructure between the United States and Asia.

The intention behind these actions is to hinder response efforts during potential future crises.

Microsoft warned that the Chinese state-sponsored hacking group has targeted sites in Guam, where the U.S. has a major military presence.

According to the Microsoft Threat Intelligence team, “Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.“

The initial attack vector involves exploiting an unknown zero-day vulnerability to compromise Internet-exposed Fortinet FortiGuard devices.

Once inside the target networks, the hackers employ “living-off-the-land” tactics, utilizing hands-on-keyboard activity and leveraging living-off-the-land binaries (LOLBins) like PowerShell, Certutil, Netsh, and the Windows Management Instrumentation Command-line (WMIC).

The National Security Agency (NSA) released a bulletin on Wednesday, providing information on the operation of the hack and offering guidance on response measures for cybersecurity teams.

The attack is currently ongoing, and Microsoft’s advisory advises affected customers to “close or change credentials for all compromised accounts.”

When questioned about the timing and the reasons behind Microsoft’s announcement, a spokesperson for the company declined to provide specific details to the Associated Press.

They also did not confirm whether there had been a recent increase in targeting critical infrastructure in Guam or at nearby U.S. military facilities, including a major air base.

John Hultquist, the chief analyst at Google’s Mandiant cybersecurity intelligence operation, referred to Microsoft’s announcement as “potentially a really important finding.“