China state-sponsored cyber actor Volt Typhoon is targeting critical infrastructure organizations in the U.S., according to Microsoft.
Microsoft said in a Wednesday post that the company has "uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States."
"The attack is carried out by Volt Typhoon," Microsoft said. Volt Typhoon is a Chinese state-sponsored actor that focuses on "espionage and information gathering."
"Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises," the statement reads.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) and international cybersecurity authorities issued a joint Cybersecurity Advisory (CSA) warning the agencies believe Volt Typhoon, which they noted is associated with the People's Republic of China, "could apply the same techniques" against infrastructure networks across the U.S. and "other sectors worldwide."
The CSA explained Volt Typhoon's primary tactics, techniques and procedures (TTPs) is "living off the land," which allows it to avoid detection by using built-in network administration tools to blend in with normal Windows systems and fly under the radar of third-party endpoint detection and response products.
The agencies recommend organizations take steps to tighten up their cybersecurity in light of the threat, such as hardening domain controllers, monitoring event logs, limiting port proxy usage, investigating any unusual IP addresses and reviewing firewall configurations.