Hackers are lying low in networks to wage critical infrastructure attacks - here’s how they do it

Hackers backed by China are breaking into the networks of US companies so they are able to launch destructive cyber attacks against critical infrastructure in the event of a major crisis or conflict.

In their attempts to gain access to systems the attackers are paying particular attention to network and IT staff who often hold the keys to the system.

The warning from the National Security Agency (NSA), FBI and the US Cybersecurity and Infrastructure Agency (CISA) is a remarkably detailed breakdown of how a Chinese state-backed group, known as Volt Typhoon, has compromised the networks of multiple critical infrastructure organizations across communications, energy, transportation systems, and water sectors.

The agencies said the hackers had maintained their access and footholds within some network for “at least” five years. Some victim companies are smaller organizations with few security skills, which provide critical services to larger organizations.

The hackers’ targets and behavior isn’t typical of cyber espionage or intelligence gathering operations, the agencies said – leading them to believe that the hackers are instead positioning themselves so they can disrupt operations across critical infrastructure in the event of potential geopolitical tensions or military conflicts with China.

What is striking about this is how careful they are and how much research they do.

According to the advisory, the Volt Typhoon group conducts extensive pre-compromise reconnaissance to learn about the target organization, its network, and its staff.

That includes searches for network information and “especially for information on key network and IT administrators”. In some instances, the agencies said they had observed Volt Typhoon actors targeting the personal emails of key network and IT staff.

They said the hackers have been observed strategically targeting the web browsing data of network administrators, “focusing on both browsing history and stored credentials” to help them target personal email addresses for further information – for example to discover any possible network modifications that may impact the threat actor’s persistence within victim networks.

The reconnaissance the attackers conduct helps them to gain access and also helps them avoid scrutiny.

“The intelligence gathered by Volt Typhoon actors is likely leveraged to enhance their operational security. For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the agencies said.

Targeting the accounts of IT staff is a common tactic for hackers because these accounts usually have much wider access than standard user accounts; this is why administrator accounts are usually more carefully protected by techniques such as multifactor authentication.

However, the level of research being done in these attacks reflects how this group is working to a different agenda to many others - and is a reminder to all organizations to make sure they have protection in place across these accounts.

The advisory said organizations should deliver security training tailored to network IT personnel/administrators and other key staff.

“For example, communicate that Volt Typhoon actors are known to target personal email accounts of IT staff, and encourage staff to protect their personal email accounts by using strong passwords and implementing MFA,” it said.

The advisory also gives more detail on how the hackers achieve their access to the networks and manage to stay hidden so long.

They gain initial access to the network by exploiting known or zero-day vulnerabilities in public-facing network appliances. These flaws might be in routers, virtual private networks and firewalls. After this they connect to the victim’s network via VPN for follow-on activities.

In particular, the hackers want to gain administrator credentials within the network. They often do this by exploiting privilege escalation vulnerabilities in the operating system or network services, or by stealing credentials unwisely stored on a public-facing network appliance.

The attackers try to find out more about the network including the “discreet extraction” of security event logs and the Active Directory database which contains data on user accounts, passwords in hashed form, and other sensitive data. They probably then use offline password cracking techniques to decipher these hashes, in order to gain further network access.

The agencies said the hackers are focused on gaining access to operational technology assets.

“This access enables potential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities).”

The group is careful to stay hidden, limiting their activity after breaking inn, “suggesting their objective is to maintain persistence rather than immediate exploitation,” the advisory said, with the hackers revisiting targets over a number of years to confirm their access.

In one incident at an organization in the water industry, the attackers connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally.

Over a nine-month period, they moved to a file server, a domain controller, an Oracle Management Server, and a VMware vCenter server. The aim was, most likely, to gain access to the nearby operational technology assets involved with water treatment.