American maritime assets targeted by Chinese malware

American maritime assets are being targeted by Volt Typhoon, a Chinese state-sponsored snooping operation, tech giant Microsoft warned today.

Microsoft said it has uncovered “stealthy and targeted malicious activity” focused on post-compromise credential access and network system discovery aimed at critical infrastructure organisations in the US. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.

According to Microsoft, Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organisations in Guam and elsewhere in the US. In this campaign, the affected organisations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

“Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible,” Microsoft stated in an update on its site, going on to explain how the perpetrators rely almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control channel over proxy to further stay under the radar.

Microsoft is advising to mitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, as well as deactivating unused accounts.