Volt Typhoon Targets Critical Infrastructure

Volt Typhoon Targets Critical Infrastructure

A joint Cybersecurity Advisory has been released by the United States on a state-sponsored cyber actor known as Volt Typhoon.

The actors primary tactic is to use Living off the Land technique, and utilizes native, legitimate Windows tools to advance and sustain this attack. The attack goes undetected by the End Point Response (EDR) products which are unable to identify any suspicious behavior because the threat actor emulates normal windows systems network behavior. Volt Typhoon has been active since 2021 and continues to target critical infrastructure environments. The primary objective of the attack is reconnaissance, and extracting as much information as possible of the entire ecosystem, by laying dormant in the compromised environment.

Initial access is achieved through internet facing Fortinet FortiGuard devices. The actor then proceeds to extract Active Directory credentials used by the device.

Post-exploitation, Volt-Typhoon rarely uses malware but rather, tries to find information on the system, discover additional devices on the network, and exfiltrate data. Defending against this attack has become a top priority for many organizations that are part of the critical infrastructure landscape.

Reducing the attack surface by hardening LSASS (Local Security Authority Subsystem Service) which runs on an Active Directory Domain Controller and providing MFA (multi factor authentication) are some basic hygiene techniques that can help prevent such type of an attack technique.