Under Microsoft’s new threat actor naming convention, the group is being tracked as ‘Volt Typhoon’.
They targeted a wide range of sectors and Microsoft assessed that the campaign is
"pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises."
Initial access involves exploiting internet-facing Fortinet FortiGuard devices using an unknown zero-day exploit. Volt Typhoon has also been observed abusing vulnerabilities in Zoho ManageEngine servers. The access is then abused to steal credentials and pivot through the network.
Volt Typhoon are limiting the use of malware throughout their post-compromise activity. Instead, they are putting in significant amounts of work to remain undetected by using LOLbins (living-off-the-land binaries)—tools built into operating systems by default—which means these attacks can be difficult to detect.
The threat actor used custom versions of open-source tools to establish command-and-control channels to hide the source of the attacks.
This reporting comes at a time when there are increased tensions between China and the West over Taiwan.