China hacking group Volt Typhoon

CISA | PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

CISA issued an advisory on February 7, 2024 about a PRC state-sponsored cyber group known as Volt Typhoon. This threat group has compromised the IT environments of multiple critical infrastructure organizations, including transportation, energy production and transmission, water and wastewater, and communications sectors. The advisory states that the Volt Typhoon actors are gaining and maintaining long-term access to these environments in order to allow for disruption of their functionality in the future.

How were these attackers able to achieve their objectives while remaining undetected? The shortest answer is that, given enough time, a hacker will know your networks better than you.

According to the advisory:

"Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise."

The initial access was obtained via 0-day in internet-exposed appliances. After gaining VPN access the attackers placed a high value on stealth, but were able to perform extensive reconnaissance to map network topologies, find data repositories, and identify key IT and OT administrator identities. This information was then used to obtain user credentials, move laterally, escalate privileges and compromise Windows Active Directory Domain Controllers.

Advanced, or Just Persistent?

VT used the tools and information available to them to fully understand the IT environment and chart a path to reach their objectives that was unlikely to be detected. None of the techniques used by the attacker (other than the initial 0-day) were particularly special or advanced. Still, they were good enough to allow them to escalate their privileges to the highest levels and remain undetected for years.

Administrators don't have to perform stealthy recon of their own networks to discover and mitigate these same attack paths. Data extracted from IT management tools and event logs can be aggregated and analyzed to model the state of an IT environment. This model can then be used to find the most common mistakes that "sophisticated" attackers and ransomware operators use to rapidly and quietly compromise networks.

Focus on Patching Well-Known Vulnerabilities

Administrators don't have to patch or eliminate every possible flaw in their environments to guard against these risks. Instead of trying and failing to patch everything, focus on eliminating the vulnerabilities that matter. There are now multiple sources for "vulnerability intelligence" that clearly identify which known vulnerabilities have been and are currently being used by attackers. The CISA Known Exploited Vulnerabilities Catalog is an excellent resource for this purpose. You can worry about 0-days when you have patched the vulnerabilities you know about.

Focusing on the most commonly and actively exploited vulnerabilities reduces the number of easy opportunities available to attackers, forcing them to use more advanced or louder techniques to reach their objectives.

Fix Common Misconfigurations

Internal systems and services are often left in a vulnerable state due to the mistaken assumption that they are protected by firewalls. Attackers hunt for these misconfigurations after gaining footholds on these networks, then use them to their advantage. For example, Active Directory Certificate Service templates are frequently misconfigured and can present attackers with an opportunity to escalate from zero to complete compromise of an AD environment with a trivial level of effort. The same applies to cloud environments, when back-end services are left in a default or unsecured state.

Your security plan should be strong enough to survive one 0-day.

Unsafe Operational Practices

Attackers have become adept at identifying and exploiting targets of opportunity created by unsafe operational practices. These practices most commonly create paths for privilege escalation by exposing high-value identities to attackers. The compromise and use of these identities allows attackers to reach their objectives while blending in with the background noise, making detection difficult.

The careless use of high-privilege admin and service accounts in Active Directory environments is still featured prominently in IR reports. Admin credentials are also commonly exposed in logon scripts and in code repositories. Finding and eliminating these practices forces attackers to work harder and be louder, increasing the odds of detection.

CONCLUSION

When the easy attack paths aren’t available, the costs of a successful attack increase along with the likelihood of detection. Administrators can’t patch or mitigate every risk in modern IT environments, but they can increase the difficulty for attackers to the point where they give up, get caught or are forced to invest resources to develop new tools and techniques.

Editor's note - you can track the Volt Typhoon criminal group via our Threat Actor feed at Volt Typhoon