Recently, a China-based threat group known as “Volt Typhoon” has been infiltrating US critical infrastructure using a vulnerability in a popular cybersecurity suite called FortiGuard.
Volt Typhoon is a state-sponsored threat actor that has been active since mid-2021 and that mainly targets critical infrastructure. They primarily use living-off-the-land and hands-on-keyboard techniques in order to avoid detection.
Why Is This Happening?
This campaign illustrates the security challenges with Small Office Home Office (SOHO) devices. Chinese threat actors shifted from using public cloud infrastructure to these consumer-grade SOHO routers to obfuscate their activity and make it more difficult for defenders to investigate their operations. Unpatched, consumer-grade SOHO devices with default passwords beg to be compromised by threat actors. The US could benefit from federal regulation or legislation that requires manufacturers to harden their products and make it more challenging for threat actors to use them in their campaigns.
This campaign is also a good reminder to have a relationship with your local FBI field office. Companies that observe techniques and indicators associated with this campaign can share this and potentially gain additional information from and support from the FBI.
What Should You Do Now?
Given the uptick in recent operations by Volt Typhoon, we recommend adding this APT to your organizations threat profile if you meet the following victimology criteria:
- Information technology
Defenders should hunt for the activity mentioned in the alert as soon as possible and take particular note of the “living off the land” guidance. Anything your organization does to improve your ability to detect living-off-the-land activity will significantly benefit your defenses.
Some mitigations and recommendations may take longer to implement, but if you are on China’s target list, they will return until they accomplish their objectives. If you need clarification about whether China would target your company, China’s 14th Five-Year Plan is very transparent about its goals to strengthen the nation’s strategic science and technology power. The plan lists specific sectors and technology of interest and is a blueprint for espionage targeting.
We recommend the following mitigations to reduce your risk of compromise or impact:
- Update and apply patches to all network edge devices, particularly Fortinet appliances.
- Ensure that all network edge devices do not have publicly exposed management interfaces.
- Utilize device certificates for remote authentications to mitigate the risk of exposed credentials.
- Require MFA for all remote authentications at minimum.
- Run all EDR solutions in prevent/block modes rather than detect to proactively prevent actions on objectives.
- Enforce a robust password policy and management solution requiring rotations.
- Segment and properly secure sensitive data.
- Improve your ability to detect living-off-the-land activity.
What ReliaQuest Is Doing
The ReliaQuest Threat Hunting Team is continuously monitoring and actively evaluating all customers that match the Volt Typhoon victimology for both publicly available and internally identified TTPs and indicators of compromise. Any known infrastructure will be added to our emergency feeds to enable detection of intrusion attempts at the network edge. Customers will be kept up to date with all new information regarding Volt Typhoon.