author photo
By Cam Sivesind
Thu | May 25, 2023 | 3:06 PM PDT

"Volt Typhoon," a state-sponsored cyber actor associated with the People's Republic of China (PRC), has been identified by Microsoft, the United States, and international cybersecurity authorities as the party responsible for recent activity affecting networks across U.S. critical infrastructure sectors.

"Volt Typhoon appears to be a highly sophisticated Chinese cyber espionage effort to target critical U.S. infrastructure, especially on the U.S. island territory of Guam," said Col. Cedric Leighton, CNN Military Analyst and U.S. Air Force (Ret.). "Volt Panda also appears to be targeting critical cyber infrastructure throughout the U.S."

Col. Leighton, who will present the closing keynote, "Cyber World on Fire: A Look at Internet Security in Today's Age of Conflict," at SecureWorld Chicago on June 8, said the targeting of Guam should be viewed as a key threat.

"Guam is critical to the U.S. presence in the Indo-Pacific Theater since it's home to major U.S. Navy, Marine, and Air Force bases," he said. "These bases would be critical to any potential U.S. effort to help defend Taiwan from an attack by the People's Republic of China. I was stationed at Andersen Air Force Base on Guam in 1996-97 (in the wake of a previous Taiwan crisis) while serving in the Air Force, and the island's strategic importance has only increased since then."

The FBI, National Security Agency, and other U.S. and Western security agencies released a joint advisory on Wednesday detailing the threat vector and indicators of compromise.

According to the Microsoft Threat Intelligence announcement, Volt Typhoon gains initial access to targeted organizations through internet-facing security devices, specifically Fortinet FortiGuard firewalls.

"The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials," the announcement said.

Here is a CNBC report on the warning from Microsoft.

Col. Leighton went on to say:

"Volt Typhoon is particularly sophisticated in that it exploits vulnerabilities in a commonly used cybersecurity tool. It's able to steal credentials and makes a strong effort to remain undetected, which is exactly how you would conduct a hack if you were gathering intelligence about the configuration of an IT network. In many respects, Volt Typhoon reminds me of another Chinese cyber espionage effort, Mustang Panda.

It also appears that Volt Typhoon could easily switch from being an intelligence gathering operation to an active vector for a Computer Network Attack. Since the targets span several industries and sectors, among them telecommunications, transportation, the military, and emergency response, this could be part of a Chinese operation to map out the paths a potential American response to an invasion of Taiwan would take. This could help the Chinese develop both kinetic and non-kinetic targeting scenarios. Their goal would be to preempt and disable any U.S. effort to aid or defend Taiwan."

Several cybersecurity vendor experts offered their views on the situation.

Casey Ellis, Founder and CTO at Bugcrowd:

"The kinds of direct action Volt Typhoon could take really hinge on their level of access, and the vulnerabilities and design weakness that exist within the organizations they've compromised. There are plenty of examples of threat actors manipulating the power grid, for example, however, this would require that to be possible for that particular grid in the first place. It's also worth noting that tampering or destroying CNI by a known state-sponsored threat actor could very easily be interpreted as an act of war, opening the possibility for escalation—which will hopefully act as a deterrent to these kinds of actions.

Organizations can protect themselves by understanding their network environment, ensuring vulnerabilities are being identified and managed properly, and—in this case—proactive threat hunting."

Andrew Barratt, Vice President at Coalfire:

"This is a noteworthy threat for a number of reasons, not least of which is that it is gaining access via compromising security devices such as firewalls. Then by using tools present in the environment, they are aiming to remain persistent and evasive. This is less observed in criminal actors and more like classic espionage or nation-state activity. The compromise of security devices will certainly lead to follow on criminal activity as copy cats will leverage the vulnerabilities against mid-size firms who may have a hard shell security model but are a little weaker internally and exposed to more persistent intruders. Fast payouts are almost surely going to come from ransomware in these scenarios."

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea:

"The recent Volt Typhoon warning from Microsoft is alarming. The attackers are exploiting vulnerabilities, performing hands on keyboard access to enumerate the victim's networks stealing credentials and elevating privileged access. These recent events increase the importance on protecting remote access, credentials security, and protecting privileged access with stronger security controls, auditability, and implementing the principle of least privileged which is an important methodology that supports a Zero-Trust architecture. It is also demonstrates that enforcing just-in-time and just-enough privilege policies should become the norm, as they reduce the risk related to standing privileges and align with Zero Trust best practices.

Craig Jones, Vice President of Security Operations at Ontinue:

"China's prominence as a cyber threat actor sets it apart from other adversary nations in the global cyber landscape. State-sponsored Chinese cyber operations, known to operate with significant resources and support, encompass a wide range of objectives, including cyber espionage, financial gain, and potential destructive capabilities.

China's cyber threat landscape presents a distinct challenge. Notably, China-backed APT groups demonstrate advanced capabilities, leveraging custom malware and tools to evade detection. Their involvement in intellectual property theft and the exploitation of supply chain vulnerabilities further underscores their strategic approach. Moreover, China's proficiency in utilizing Zero-Day exploits adds another layer of complexity to their cyber activities.

As the cybersecurity landscape continues to evolve, addressing China's utilization of Zero-Day attacks remains a crucial aspect of bolstering defenses and safeguarding against emerging threats."