Everyone is writing about an interagency and international report on Chinese hacking of US critical infrastructure.
Lots of interesting details about how the group, called Volt Typhoon, accesses target networks and evades detection.
Ted • May 31, 2023 3:26 PM
“As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.”
To what extent does Microsoft have visibility into different aspects of this group’s activity, considering also that the initial access is reportedly made thru internet-facing Fortinet FortiGuard devices?
lurker • May 31, 2023 4:58 PM
@Ted, all
The MSM stories @Bruce links above all focus on Guam, with passing reference to “other US” sites. So I have to assume that this is a narrow attack against specific targets who a) use Fortinet devices, and b) have (many?) users who need and use the command line tools exploited. Why this particular group of targets is using MSWindows is an interesting question.
“Living off the Land” is easy in a rich environment. 20 plus years ago when MacOS-X brought *nix tools to the desktop, we had to prepare a stripped down and hardened desktop for distribution to “professional” users to protect them from their own ignorance. Such measures would also make these TV intruders’ job harder.
Why is it now called ‘Living off the Land’?
It used to be called
‘Executing system utilities at the command line interface.’
Something that goes back into the 1970’s or 1960’s with serial line access and 300baud modem access.
So it appears to just be ‘blending in’ old school style by not leaving traces on magnetic media… Activities that used to be called ‘hiding down in the grass’ going back to the early days of radar befor PPI.
It might be me, but are those doing certain types of computer security getting so obsessed with new names for old or common things that it’s now more important to come up with a new catchy name which you can then set up a web site about than getting on with the job?
Ted • June 1, 2023 12:35 AM
@lurker, all
Yes, great observations. The focus on Guam is pointed, though the mention of critical infrastructure more broadly does make me curious about the scope of the activity.
For working so intentionally to avoid detection and attribution, I wonder if these public alerts will register as a small setback for Volt Typhoon.
Ismar • June 1, 2023 6:31 AM
From Wired article:” The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking”.
Wandering if there is a silver lining here where governments/ agencies will push for stronger security mechanisms on SOHO routers sold in Five Eyes countries?
Clive Robinson • June 1, 2023 8:46 AM
@ Ismar, ALL,
Re : Network edge devices as proxies.
“Wandering if there is a silver lining here where governments/ agencies will push for stronger security mechanisms on SOHO routers sold in Five Eyes countries?”
As the NSA and GCHQ are known to avoid going into any targets leaf networks where ever they can, I assume the same for the other “extended Five-Eyes” SigInt club members (other IC entities who knows). That is the SigInts will continue to infest the Internet / Cloud from behind the “first node upstream” of a target so the target nor most others can see them snooping (or Spooking depending on your prefrence)…
So I’m not holding my breath on what you hope for happening in reality, irrespective of what legislators might appear to pass…
For years now I’ve assumed that I might be a target, as both I and friends got targeted in the 1980’s and as the old joke has it “there are some clubs that will always have you as a member”… So I started taking precautions oh into four decades ago now.
Back then all but a few people thought I was paranoid, but these days some consider me not paranoid enough… Which just goes to show you can never win 😉
Andy • June 1, 2023 9:35 AM
All I can say is: “People living in a glass house shouldn’t throw stones.” NSA’s efforts keep going in the offensive… I don’t see what benefit we’ve gotten out of that, other than keeping people busy and money flowing
lurker • June 1, 2023 2:43 PM
@Ismar
What, the gummint interfere in commerce? willing seller, willing buyer …
And as others have said, our own spooks need to get into our gear.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
TimH • May 31, 2023 12:06 PM
It’s open season since US and Israel attacked those Iranian centrifuge process controllers…