Over the last week, you may have heard of a big, new exploit in the Windows ecosystem that is being attributed to “Volt Typhoon.” It’s notable for how hard it is to detect and stop, but also because of its geopolitical dimensions. In today’s blog post, we’ll take a look at the threat, focus on some of the important features, and then remind you of some steps you can take to mitigate the risk of becoming a victim of this hack.

Hiding in Plain Sight

Volt Typhoon is the name of a threat actor that Microsoft has identified in China. Microsoft Security recently began naming threat actors according to a system that identifies where and what the threat is. Microsoft thinks that flattening all Chinese threat actors (as well as Russian, North Korean, and Iranian actors) into one label is helpful in aiding security professionals understand threats, and “Typhoon” is the name that Microsoft has given to threats it associates with China. In other words, we’ll hear about more groups from China that are called “____ Typhoon.”

Not much is known about the conditions in which Microsoft identified this threat actor, because the group seems to be interested in espionage, primarily on military and infrastructure systems. While these types of targets are typically governmental and strategic, the mechanisms that they use to evade detection could be shared with or used by other groups.

The main technique that has been associated with Volt Typhoon is “living-off-the-land” techniques. These kinds of intrusions are designed to be difficult to detect, because the attacker uses parts of Windows itself to execute the attack. By doing this, the attacker doesn’t need to get a file onto your hard drive or be given permissions to run their own software on your machines. Instead, endpoint detection just sees Windows doing its usual background processes.

One would hope that network monitoring would stop data exfiltration or abnormal behavior on your network when an endpoint is behaving strangely. It appears that Volt Typhoon uses custom software to compromise network infrastructure, such as firewalls and gateways, making it more difficult to monitor the network for traffic when they steal data.

Social Engineering and Phishing Attacks

This threat is pretty serious, but it isn’t exactly one exploit or attack. Instead, Microsoft and CISA are simply putting it out there as a serious risk for important systems and sharing information publicly with security professionals to minimize its impact. The point of failure seems to be leaked user credentials (similar to the Outlook vulnerability we discussed a few months ago), which would most easily be stolen through social engineering and phishing attacks.

The main ways to stay safe from these types of threats is to continue to be vigilant in detecting bad emails, to patch firmware and software when updates are available, and to use multi-factor authentication wherever possible. While your data may not quite be as valuable as state secrets are, it’s still crucially valuable to you and your organization; by staying up-to-date and on point with your security, you give yourself the best chance at not being targeted by simila

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team