What’s Happening?
Recently, a China-based threat group known as “Volt Typhoon” has been infiltrating US critical infrastructure using a vulnerability in a popular cybersecurity suite called FortiGuard.
Volt Typhoon is a state-sponsored threat actor that has been active since mid-2021 and that mainly targets critical infrastructure. They primarily use living-off-the-land and hands-on-keyboard techniques in order to avoid detection.
Why Is This Happening?
This campaign illustrates the security challenges with Small Office Home Office (SOHO) devices. Chinese threat actors shifted from using public cloud infrastructure to these consumer-grade SOHO routers to obfuscate their activity and make it more difficult for defenders to investigate their operations. Unpatched, consumer-grade SOHO devices with default passwords beg to be compromised by threat actors. The US could benefit from federal regulation or legislation that requires manufacturers to harden their products and make it more challenging for threat actors to use them in their campaigns.
This campaign is also a good reminder to have a relationship with your local FBI field office. Companies that observe techniques and indicators associated with this campaign can share this and potentially gain additional information from and support from the FBI.
What Should You Do Now?
Given the uptick in recent operations by Volt Typhoon, we recommend adding this APT to your organizations threat profile if you meet the following victimology criteria:
Communications Manufacturing Utility Transportation Construction Maritime Government Information technology Education
Defenders should hunt for the activity mentioned in the alert as soon as possible and take particular note
Read more