{"id":92083,"date":"2023-05-25T07:45:00","date_gmt":"2023-05-25T07:45:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=92083"},"modified":"2023-05-25T07:45:00","modified_gmt":"2023-05-25T07:45:00","slug":"alert-over-chinese-cyber-campaign-targeting-critical-networks","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92083","title":{"rendered":"Alert over Chinese cyber campaign targeting critical networks"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/05\/alert-over-chinese-cyber-campaign-targeting-critical-networks.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p><a href=\"https:\/\/www.ncsc.gov.uk\/news\/ncsc-joins-partners-to-issue-warning-about-chinese-cyber-activity-targeting-cni\">The UK\u2019s National Cyber Security Centre<\/a> (NCSC), alongside intelligence agencies from the Anglophone Five Eyes alliance, <a href=\"https:\/\/www.nsa.gov\/Press-Room\/Cybersecurity-Advisories-Guidance\/\">has issued guidance<\/a> highlighting a campaign of Chinese state-sponsored activity targeting critical national infrastructure (CNI) networks.<\/p>\n<p>Working alongside Microsoft \u2013 which has attributed the campaign of malicious activity to an advanced persistent threat actor <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/05\/24\/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques\/\">it has dubbed Volt Typhoon<\/a> having <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\">recently revised its threat actor naming taxonomy<\/a> \u2013 the intelligence community\u2019s disclosure includes technical indicators of compromise and examples of the tactics, techniques and procedures being used by the group.<\/p>\n<p>\u201cIt is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,\u201d said NCSC operations director Paul Chichester.<\/p>\n<p>\u201cWe strongly encourage providers of UK essential services to follow our guidance to help detect this malicious activity and prevent persistent compromise.\u201d<\/p>\n<p>According to Microsoft, Volt Typhoon has been active for approximately two years, and has targeted multiple CNI operators in the US Pacific island territory of Guam, as well as in the US itself. Organisations targeted include communications services providers, manufacturers, utilities, transport operators, construction firms, IT companies, educational institutions and government bodies.<\/p>\n<p>According to <em>The<\/em> <i>New York Times<\/i>, <a href=\"https:\/\/www.nytimes.com\/2023\/05\/24\/us\/politics\/china-guam-malware-cyber-microsoft.html\">the focus on Guam is particularly concerning<\/a> given the territory\u2019s proximity to Taiwan, and its value to the US in mounting a military response in Taiwan\u2019s defence <a href=\"https:\/\/www.reuters.com\/world\/asia-pacific\/taiwan-sees-china-taking-lessons-russias-ukraine-invasion-2023-02-24\/\">should China attack it<\/a>.<\/p>\n<p>Microsoft said that based on the behaviour it has observed, Volt Typhoon \u201cintends to perform espionage and maintain access without being detected for as long as possible\u201d.<\/p>\n<p>It tends to access its victim networks via vulnerable Fortinet FortiGuard devices and subsequently blends into normal network activity by routing its traffic through compromised small and home office network edge devices, including Asus, Cisco, D-Link, Netgear and Zyxel hardware.<\/p>\n<p>Once ensconced in its target network, Volt Typhoon becomes particularly stealthy, using living-off-the-land techniques and binaries (LOLbins) to extract data and credentials. This makes detecting its activity a particularly gruesome challenge for defenders, as LOLbins are \u201cnaturally occurring\u201d tools and executables in the operating system used for legitimate purposes.<\/p>\n<p>Marc Burnard, Secureworks senior consultant for information security research and thematic lead for China, said the group \u2013 which Secureworks tracks as Bronze Silhouette \u2013 has a \u201cconsistent focus\u201d on operational security \u2013 minimising its footprint, deploying advanced techniques to avoid detection, and using previously compromised infrastructure.<\/p>\n<p>\u201cThink of a spy going undercover, their goal is to blend in and go unnoticed,\u201d he said. \u201cThis is exactly what Bronze Silhouette does by mimicking usual network activity. This suggests a level of operational maturity and adherence to a modus operandi that is engineered to reduce the likelihood of the detection and attribution of the group\u2019s intrusion activity.<\/p>\n<p>\u201cThe incorporation of operational security, particularly when targeting Western organisations, is consistent with the network compromises that CTU researchers have attributed to Chinese threat groups in recent years,\u201d added Burnard.<\/p>\n<p>\u201cThese tradecraft developments have likely been driven by a series of high-profile US Department of Justice indictments of Chinese nationals allegedly involved in cyber espionage activity, public exposures of this type of activity by security vendors, which has likely resulted in increased pressure from leadership within the People\u2019s Republic of China to avoid public scrutiny of its cyber espionage activity.<\/p>\n<p>\u201cChina is known to be highly skilled in cyber espionage and Bronze Silhouette spotlights its relentless focus on adaption to pursue their end goal of acquiring sensitive information,\u201d he said.<\/p>\n<section class=\"section main-article-chapter\" data-menu-title=\"Guidance\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>Guidance<\/h3>\n<p>Microsoft said organisations which find themselves affected by Volt Typhoon should immediately close or change credentials on all affected accounts, and examine their activity for any malicious actions or exposed data.<\/p>\n<p>Organisations also have various tools at their disposal to defend against this activity, many of which fall under the category of basic cyber security hygiene. These include:<\/p>\n<ul class=\"default-list\">\n<li>Enforcing appropriate multi-factor authentication and credential management policies;<\/li>\n<li>Reducing the attack surface by enabling rules to block credential stealing, process creations and execution of potentially obfuscated scripts;<\/li>\n<li>Hardening the Local Security Authority Subsystem Service process by enabling Protective Process Light for LSASS on Windows 11 devices, and Windows Defender Credential Guard if not enabled by default;<\/li>\n<li>Enabling cloud-delivered protections available via Microsoft Defender Antivirus;<\/li>\n<li>Running endpoint detection and response in block mode to enable Microsoft Defender for Endpoint to block malicious artefacts even if a non-Microsoft antivirus product has not spotted them.<\/li>\n<\/ul>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"China hits back\">\n<h3 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"><\/i>China hits back<\/h3>\n<p>Meanwhile, China\u2019s government has responded angrily to the disclosures, accusing the Five Eyes alliance of waging a campaign of disinformation.<\/p>\n<p>A spokesperson for China\u2019s foreign ministry said the report was \u201cextremely unprofessional\u201d and not backed by sufficient evidence.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>The UK\u2019s National Cyber Security Centre (NCSC), alongside intelligence agencies from the Anglophone Five Eyes alliance, has issued guidance highlighting a campaign of Chinese state-sponsored activity targeting critical national infrastructure (CNI) networks. Working alongside Microsoft \u2013 which has attributed the campaign of malicious activity to an advanced persistent threat actor it has dubbed Volt Typhoon [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":92084,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-92083","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92083","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92083"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92083\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92084"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92083"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92083"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92083"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}