Microsoft has said that it has found malicious activity by a Chinese-state sponsored hacking group that has stealthily gained access into critical infrastructure organizations in Guam and elsewhere in the US, with the likely aim of disrupting critical communications in the event of a crisis.
In a report published Wednesday, Microsoft said the group, named Volt Typhoon, had been active since mid-2021, targeting organizations that span manufacturing, construction, maritime, government, information technology and education.
Joe Saunders, CEO, RunSafe Security had this comment on this rather disturbing news:
“In all these attacks, denying the adversary the ability to target memory weaknesses in code is essential to thwart any additional steps in the attack, especially if if we want to make our infrastructure resilient. Achieving cyber resilience is an urgent need for our country.”
Although Chinese state-sponsored hackers have never launched a disruptive cyberattack against the United States, even over decades of data theft from US systems, the country’s hackers have periodically been caught inside US critical infrastructure. Thus the time is to act now before these hackers escalate their activities beyond what they have done to date.
UPDATE: I have two more comments on this. The first is from Willy Leichter, VP, Cyware:
“These state-sponsored groups are relentless in trying to get a persistent foothold in our critical infrastructure systems, and attacks are inevitable. While all organizations need to remain vigilant about tracking threats, and closing vulnerabilities, we really need to improve how quickly we disseminate critical intelligence industry-wide. Information sharing communities (ISACs) in critical infrastructure, energy, and other sectors are providing some of this intelligence, but we need much more wide-spread adoption and automation, so an attack on one system can be automatically defended against across an entire industry sector.”
Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:
“While described as novel, the TTPs mentioned in the report have been used for years. Webshells, Living-off-the-Land, command line, proxies for exfiltration. IOCs extracted are valuable but unfortunately have a short shelf life as attackers evolve their infrastructure. The report coming from CISA and NSA provide a fantastic insight on the techniques however you can also clearly identify where traditional EDR solutions will fall short against LOLBin use and how a layered defense approach is critical to augment and further provide critical context.”
Finally Steve Stone, Head of Rubrik Zero Labs concludes with this:
“Rubrik believes the combination of multiple private companies and several governments publicly reporting their findings is a great situation for the overall cybersecurity community. In particular, the US Government and its partners are working to publicly report activity sooner than in the past at the cost of maintaining their potential access. This demonstrable shift by the US government is a major step forward for private organizations.
“This activity is in-line with well-established Chinese hacking efforts. This in no way undercuts the reporting, but its critical we view this as an existing assessment confirmation instead of net new activity.
“The continued focus on valid users and valid tools by threat actors presents one of the largest threats to the industry. The valid user is the most capable attack surface an attacker can gain. Additionally, these types of actions are notoriously difficult to detect. For all of these reasons, Rubrik is heavily investing in user intelligence in 2023, which we will combine with data trends. We think this remains one of the largest problems to solve from a threat perspective.”