Pages

Sunday, May 28, 2023

Chinese pounce on homes in post-COVID Thailand & Australia

Chinese pounce on homes in post-COVID Thailand & Australia


STORY: "Hello, Bangkok!” shouts Danial Bian, flown in from Shanghai, and touring a luxury apartment in the capital of Thailand.

It's a moment of freedom to relish after three years of living under some of the world's toughest COVID-19 rules.

Since Beijing opened its borders this year many mainland Chinese, like Bian, have been flocking to Thailand to snap up investment properties.

Keen for a safety net in case of a similar disease outbreak, and for a hedge against economic risks at home.

Bian says he's also attracted to the lifestyle that Thailand offers.

“Everyone (in China) is thinking about the ways and opportunities through which they can make their money grow. The property market in Thailand is definitely something we discuss as a possibility. And if we have in-depth discussions about whether we really want to buy one (property in Thailand), We definitely feel like there are plus factors, like we will be able to holiday, there’s more freedom and convenience (in Thailand). The freedom to enter or leave the country, to travel back and forth. As well as the freedom of society, and life. Freedom is very important"

Thailand expects at least five million Chinese visitors this year, with some set on snapping up property.

The country's good international schools and quality medical facilities make it an attractive place for a second home.

The share of Chinese students at Singapore International School Bangkok rose to about 12% this year, up from 6% before the pandemic.

Thai rules do, however, limit foreign ownership to just under half of the units in any apartment block development.

But that hasn't put off prospective buyers from pouring in.

Real estate agent, Owen Zhu, escorted Bian and his 70-year-old mother around three different apartments in the city.

He says most of his clients are looking for properties typically costing more than 2 million yuan, or about $300,000.

Zhu says that would only get you a simple home in a first-tier Chinese city like Beijing.

“Before the pandemic, most Chinese buyers bought middle or lower-level homes for investment, because they can earn more by getting a cheaper property. But it has changed a lot after the pandemic, most of the Chinese choose to buy luxury apartments to live in.”

It's not just Bangkok that's luring in buyers.

Chiang Mai in the mountainous north is popular, as well as the region of Isan in the east, and the beach resort area of Pattaya.

Saturday, May 27, 2023

Leaked documents reveal China's plans to launch a supersonic spy drone that could fly 3 times the speed of sound, WaPo reports

Leaked documents reveal China's plans to launch a supersonic spy drone that could fly 3 times the speed of sound, WaPo reports

A military vehicle carrying a WZ-8 supersonic reconnaissance drone takes part a military parade at Tiananmen Square in Beijing on October 1, 2019, to mark the 70th anniversary of the founding of the Peoples Republic of China.
  • A 21-year-old airman at a National Guard unit in Massachusetts leaked military intelligence online.

  • Some of the documents showed China's plans for a supersonic drone, The Washington Post reported.

  • China's WZ-8 rocket-propelled reconnaissance drones can travel three times the speed of sound.

One of the documents included in a trove of leaked military intelligence posted online by a 21-year-old airman at a National Guard unit in Massachusetts included apparent plans from China's Ministry of National Defense to advance its surveillance capabilities with supersonic reconnaissance drones.

The leaked documents, reportedly from the United States National Geospatial-Intelligence Agency, come as military tensions between mainland China and neighboring Taiwan have been escalating: Just last week, the Chinese military released a video showing what an attack on the island nation would look like, Insider previously reported.

The Washington Post first reported on the secret document, which indicates the Chinese military is making technological advances with its surveillance programs that could help the country "target American warships around Taiwan and military bases in the region."

Satellite imagery included in the documents, dated August 9, 2022, show two WZ-8 rocket-propelled reconnaissance drones at an air base approximately 350 miles from Shanghai, the outlet reported. The cutting-edge drones, which are launched from bomber planes, are capable of traveling three times the speed of sound, according to the documents — slightly slower than the US's mysterious Lockheed Martin SR-72 Blackbird, which Lockheed claims reaches speeds of Mach 6.

The drones could assist China in real-time mapping that would inform strategy or enable high-speed missile strikes in a future conflict, The Washington Post reported.

Taiwan's air force has a slew of gaping vulnerabilities against a potential Chinese invasion. It's highly likely Beijing would achieve air superiority quickly if it goes to war across the straitInsider previously reported.

The WZ-8 drones were introduced in 2019 during the 70th anniversary of the founding of the People's Republic of China, but few military analysts believed they were fully functional at the time, The Washington Post reported. The documents reported on by the outlet included flight paths for the drone, as well as the bomber plane used to launch the device.

Representatives for the Department of Defense and China's Ministry of National Defense did not immediately respond to Insider's requests for comment.


Owner of Michigan horse farm who refused to sell property to Chinese firm placed UNDER INVESTIGATION by government

Owner of Michigan horse farm who refused to sell property to Chinese firm placed UNDER INVESTIGATION by government

Image: Owner of Michigan horse farm who refused to sell property to Chinese firm placed UNDER INVESTIGATION by government


The owner of a horse farm in Michigan is being investigated by the office of the state’s Attorney General (AG) Dana Nessel after she refused to sell her farm to a Chinese company.

Lori Brock, the proprietress of Majestic Friesians Horse Farm in Big Rapids, has been targeted by Nessel after she refused to sell her property to the Chinese firm Gotion. It has expressed plans to build its electric vehicle (EV) battery plant near her 15o-acre farm. The company, a subsidiary of Guoxuan High Tech Co. based in China’s eastern Anhui province, has ties to the Chinese Communist Party.


Michigan Gov. Gretchen Whitmer touted Gotion’s proposed $951 million EV battery plant in Big Rapids, adding that at least $750 million in tax dollars will subsidize it. The Democratic governor’s allies in the Michigan Senate’s Appropriations Committee approved Gotion’s plan to build its facility on April 20.

Whitmer lauded Gotion’s plant as “the biggest-ever economic development project in Northern Michigan” in October 2022. However, the governor ignored the potential environmental impact that the project could bring. Gotion’s battery plant will reportedly consume 715,000 gallons of groundwater per day, more than twice the 360,000 gallons per day used by Nestle in its water bottling plant there.

Brock also expressed concern over the plant’s impact on the environment. But what incensed the farm owner was the fact that Gotion lied about its ties to China, community support of the project and hourly wages.

Ultimately, she refused to sell her land to the Chinese company and even held an anti-Gotion rally at her farm. She allowed her horses to roam around, with some of them wearing horse coverings that stated: “I say ‘neigh’ to Gotion.”

Corrupt Nessel weaponizes state government against Brock

Just days after Brock’s rally against Gotion, the state government moved in to harass her. The Michigan Department of Agriculture and Rural Development (MDARD) received a Right to Farm complaint regarding Majestic Friesians Horse Farm. The complaint alleged that there was manure run-off coming from the farm into the tributaries of the Muskegon River.

According to the farm owner, she anticipates representatives of the MDARD – which is under Nessel’s control – to serve her a copy of the complaint. She believes that the complaint is merely “harassment” on the part of the AG and the governor for her refusal to yield.

Moreover, the harassment leveled against Brock seems to be an expression of frustration on the part of Whitmer’s government. The Democratic chief executive of the Great Lakes State botched a deal with the Ford Motor Company, which decided to build EV facilities in Tennessee and Kentucky – both red states – instead of Michigan. It was later revealed that she had no idea of Ford’s $11.4 billion facilities, amounting to a huge loss for the state. (Related: Ford’s deal with Chinese EV battery maker sparks security concerns.)

Despite the harassment from the state government, Brock has no plans of selling her farm to Gotion. She accused the company of “absolutely cannibalizing all the land near us and scaring people into selling their property.”

“My farm is pristine, and I’m not worried one bit because we’re not doing anything to endanger anything. For 20 horses on 150 acres, there’s no way I’m in violation of anything,” she told the Midwesterner. “I don’t believe in bullies and I will never, ever sell to them. They’d be the last person in this world that I’d ever sell my property to.”

Head over to NationalSecurity.news for more stories like this.

Watch this clip from “Maria Bartiromo’s Wall Street” about the Chinese food company Fufeng Group buying land near an Air Force base in North Dakota.

This video is from the Chinese taking down EVIL CCP channel on Brighteon.com.

More related stories:

China continues to snatch up U.S. farmland, American companies at alarming rates.

GOP senator warns Biden admin to take Chinese purchases of U.S. farmland seriously.

National security threat: Grand Forks City Council blocks Chinese-owned corn mill near air base.

Republican congressman Chip Roy submits bill to ban CCP members from buying land in the USA.

Communist China seizing control of American food supply with massive corn processing plant in North Dakota.

Former Conservative leader informed he is being targeted by Chinese government

Former Conservative leader informed he is being targeted by Chinese government

May 26 2023

Canada’s spy agency CSIS, has informed former Conservative leader
Erin O’Toole that he was targeted by Beijing during his time as party chief and remains a target because of his criticism of the Chinese Communist Party.


A source close to Mr. O’Toole said the Conservative MP was briefed Friday by the Canadian Security Intelligence Service and he is still considering how best to reveal details to the public in a manner that balances Canadians’ right to know with national-security concerns about classified information.

Erin O’Toole learned this in a briefing with the Canadian Security Intelligence Service Friday


Johnston to decide whether to call public inquiry into Chinese foreign interference

Johnston to decide whether to call public inquiry into Chinese foreign interference

Open this photo in gallery:

Police and security staff stand on a street next to the embassy of Canada where a Ukrainian flag with messages of support for Ukraine is seen on a wall, in Beijing on May 17. The government will 'comply with' the recommendations set out by David Johnston in his report on Chinese foreign interference, Trudeau says.Former governor-general David Johnston needs to recommend a public inquiry into China’s foreign-interference operations because of mounting evidence of the Liberal government’s unwillingness to take seriously Beijing’s threat to Canadian democracy, opposition MPs say.

The government announced Friday that Mr. Johnston, its special rapporteur, will table his report into Chinese foreign interference on Tuesday. Prime Minister Justin Trudeau has said the report will include Mr. Johnston’s decision as to whether a public inquiry is necessary.

In March, Mr. Trudeau appointed Mr. Johnston, a family friend, to investigate Chinese interference into the last two elections after The Globe and Mail reported Feb. 17, based on Canadian Security Intelligence Service documents, that Beijing employed a sophisticated strategy to disrupt Canada’s democracy in the 2021 election campaign.

Highly classified CSIS documents, seen by The Globe, also outlined how China targeted at least 11 candidates in the 2019 election. The documents said the 11, along with 13 members of their staffs, had direct connections to a “known or suspected malign actor.” CSIS did not name the actor.

The Prime Minister’s Office has said the government “will comply with, and implement [Johnston’s] recommendations, which could include a formal inquiry, a judicial review, or another independent review process.”

Since Mr. Johnston’s appointment, The Globe revealed Chinese diplomat Zhao Wei was behind efforts to intimidate Conservative foreign affairs critic Michael Chong and family members in Hong Kong in 2021 to retaliate for the MP sponsoring a parliamentary motion critical of Beijing human rights abuses against its Uyghur minority.

The government has since expelled Mr. Zhang over the incident and China responded by sending home a Canadian diplomat based in Shanghai.

Ibbitson: It’s time for David Johnston to provide answers on interference in Canada’s elections

The Globe reported Friday, citing a national-security source, that in the run-up to the 2021 election, then-public safety minister Bill Blair delayed approval of an electronic and entry warrant to monitor Ontario Liberal power-broker Michael Chan.

“There is overwhelming evidence of Beijing’s interference in our democracy and overwhelming evidence that the Prime Minister turned a blind eye to it,” said Conservative MP Michael Cooper. “Canadians deserve answers and the only way to get those answers is through an independent public inquiry.”

The Prime Minister’s Office said Friday neither Mr. Trudeau nor anyone working for him had knowledge of the warrant application against Mr. Chan, a former Ontario cabinet minister, Liberal Party organizer and fundraiser who is now deputy mayor of the city of Markham.

“This process does not involve the Prime Minister nor his office, and neither the Prime Minister nor his office are informed when a warrant is with the Minister for approval,” PMO spokesperson Alison Murphy said.

NDP House Leader Peter Julian said MPs shouldn’t be finding out this information from reading The Globe and Mail. “The allegations brought forward by The Globe reinforce what New Democrats have been saying about the need for a public inquiry into foreign interference,” he said.

“We believe Mr. Johnston needs to heed the clear will of Parliament where all parties and independent MPs – except the Liberals – voted yes on the NDP motion to call a public inquiry into foreign interference.”

Mr. Chan has for years been a national-security target of the spy service because of alleged ties to China’s Toronto consulate and proxies of Beijing. He has been observed by CSIS meeting with the expelled Chinese diplomat, Mr. Zhao, according to a national-security source and CSIS documents.

The national-security source told The Globe that Mr. Blair, now Minister of Emergency Preparedness, took about four months to sign off on the warrant before it was sent to a federal judge in June, 2021, for final approval. The Globe is not naming the source because they risk prosecution under the Security of Information Act.

On Friday, Mr. Blair denied that it took four months to sign the warrant. “No warrant application ever took as long as four months for approval,” he said. “They were signed expeditiously.”

National-security experts, including former CSIS director Richard Fadden, say ministers usually sign off on warrants after 48 hours to a week.

Mr. Chan told The Globe he was not aware that a warrant had been authorized to monitor him clandestinely and said he is a victim of “shadowy allegations and absurd conspiracy theories,” simply because he has had contact with Chinese diplomats as part of his work duties.

He said in a statement: “CSIS has never discussed their concerns with me but continues to unjustifiably harass, intimidate, threaten and frighten my friends and acquaintances.”

Stephanie Carvin, a former national-security analyst and associate professor of international relations at Carleton University’s Norman Paterson School of International Affairs, said the government should do a better job of explaining why it took so long to approve the warrant.

“The government is being told that transparency is fundamental for countering foreign interference, but is struggling to explain its own actions,” she said. “The warrant was clearly a complicated case and needed special consideration. Explaining the processes around such consideration should not be a state secret.”

But human rights lawyer Paul Champ said the leaks of this sensitive information are a threat to Canadian democracy.

“Blair has a duty under the CSIS Act to approve warrants. He should not be a rubber stamp,” he said in a Tweet. “This constant partisan leaking is itself dangerous.”

Mr. Trudeau has asked CSIS to find the whistleblowers and the RCMP says an investigation is now under way into the leaks. The RCMP is not investigating China’s interference operations, which include allegations of illegal violations of Canada’s election laws, citing a lack of evidence to stand up in court.

Other CSIS reports viewed by The Globe warn that Beijing is the “foremost perpetrator” of foreign interference in Canada. Its agents are unconcerned about repercussions, one report says, because of the lack of obstacles such as a foreign-influence registry of the kind established in the United States and Australia.

The government has been eyeing a package of measures that could be instrumental in safeguarding Canadian democracy from foreign interference instigated by hostile states such as China, but so far has only moved ahead on one item.

Ottawa has held public consultations to set up a foreign-agent registry that would require people advocating for a foreign state to register their activities. Legislation is expected later this year.

But the government has yet to move on three other significant measures that were presented to cabinet last summer, according to four government officials.

The sources say these include changing the Criminal Code to make foreign interference an offence; modernizing the Canadian Security Intelligence Service Act, created in 1984, to allow the spy agency to share more information on foreign-interference activities; and revising the Security of Information Act.

The Globe is not identifying the officials because they were not authorized to speak publicly on the matter.

Friday, May 26, 2023

Chinese hacking group spying on US critical infrastructure, Western intelligence agencies say

Chinese hacking group spying on US critical infrastructure, Western intelligence agencies say


Volt Typhoon, a Chinese state-sponsored actor, uses living-off-the-land (LotL) and hands-on-keyboard TTPs to evade detection and persist in an espionage campaign targeting critical infrastructure organizations in Guam and the rest of the United States.


May 25 2023

  • A state-sponsored Chinese hacking group has been spying on a wide range of US critical infrastructure organisations, from telecommunications to transport hubs, Western intelligence agencies and Microsoft said on Wednesday.

    The espionage has also targeted the US island territory of Guam, home to strategically important American military bases, Microsoft said in a report, adding “mitigating this attack could be challenging”.

    It was not immediately clear how many organisations were affected, but the US National Security Agency (NSA) said it was working with partners including Canada, New Zealand, Australia, and the UK, as well as the US Federal Bureau of Investigation to identify breaches.

    While Chinese hackers are known to spy on Western countries, this is one of the largest known cyber-espionage campaigns against American critical infrastructure.

    “A PRC (People’s Republic of China) state-sponsored actor is living off the land, using built-in network tools to evade our defences and leaving no trace behind,” NSA Cybersecurity Director Rob Joyce said in a statement.

    Such “living off the land” spy techniques are harder to detect as they use “capabilities already built into critical infrastructure environments,” he added.

    The Chinese embassy in Washington did not immediately respond to a Reuters request for comment.

    Microsoft said the Chinese group, which it dubbed “Volt Typhoon”, has been active since at least 2021 and has targeted a number of industries including communications, manufacturing, utility, transport, construction, maritime, government, information technology, and education.

Chinese hackers blamed for cyberattacks in US, Canada
6 Dec 2022

  • As opposed to using traditional hacking techniques, which often involve tricking a victim into downloading malicious files, Microsoft said this group infects a victim’s existing systems to find information and extract data.

    Analysts assessed with “moderate confidence” that this Chinese campaign was developing capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises, Microsoft added.

    Guam is home to US military facilities that would be key to responding to any conflict in the Asia-Pacific region.

    Canada’s cybersecurity agency separately said it had no reports of Canadian victims of this hacking as yet. “However, western economies are deeply interconnected,” it added. “Much of our infrastructure is closely integrated and an attack on one can impact the other.”

    The UK similarly warned the techniques used by the Chinese hackers on US networks could be applied worldwide.

  • .........................................................................................................

Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible. Microsoft is choosing to highlight this Volt Typhoon activity at this time because of our significant concern around the potential for further impact to our customers. Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness and further investigations and protections across the security ecosystem.

To achieve their objective, the threat actor puts strong emphasis on stealth in this campaign, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy to further stay under the radar.

In this blog post, we share information on Volt Typhoon, their campaign targeting critical infrastructure providers, and their tactics for achieving and maintaining unauthorized access to target networks. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. At the end of this blog post, we share more mitigation steps and best practices, as well as provide details on how Microsoft 365 Defender detects malicious and suspicious activity to protect organizations from such stealthy attacks. The National Security Agency (NSA) has also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and procedures (TTPs) discussed in this blog.

As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. To learn about Microsoft’s approach to threat actor tracking, read Microsoft shifts to a new threat actor naming taxonomy.

Figure 1. Volt Typhoon attack diagram

Initial access

Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices. Microsoft continues to investigate Volt Typhoon’s methods for gaining access to these devices.

The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.

Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Owners of network edge devices should ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.

Post-compromise activity

Once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times.

Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data. We describe their activities in the following sections, including the most impactful actions that relate to credential access.

Credential access

If the account that Volt Typhoon compromises from the Fortinet device has privileged access, they use that account to perform the following credential access activities.

Microsoft has observed Volt Typhoon attempting to dump credentials through the Local Security Authority Subsystem Service (LSASS). The LSASS process memory space contains hashes for the current user’s operating system (OS) credentials.

text
Figure 2. Volt Typhoon command to dump LSASS process memory, encoded in Base64
Figure 3. Decoded Base64 of Volt Typhoon command to dump LSASS process memory

Volt Typhoon also frequently attempts to use the command-line tool Ntdsutil.exe to create installation media from domain controllers, either remotely or locally. These media are intended to be used in the installation of new domain controllers. The files in the installation media contain usernames and password hashes that the threat actors can crack offline, giving them valid domain account credentials that they could use to regain access to a compromised organization if they lose access.

Figure 4. Volt Typhoon command to remotely create domain controller installation media
Figure 5. Volt Typhoon command to locally create domain controller installation media

Discovery

Microsoft has observed Volt Typhoon discovering system information, including file system types; drive names, size, and free space; running processes; and open networks. They also attempt to discover other systems on the compromised network using PowerShell, Windows Management Instrumentation Command-line (WMIC), and the ping command. In a small number of cases, the threat actors run system checks to determine if they are operating within a virtualized environment.

Collection

In addition to operating system and domain credentials, Volt Typhoon dumps information from local web browser applications. Microsoft has also observed the threat actors staging collected data in password-protected archives.

Command and control

In most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access. They accomplish this with the built-in netsh portproxy command.

a screen shot of a computer
Figure 6. Volt Typhoon commands creating and later deleting a port proxy on a compromised system

In rare cases, they also use custom versions of open-source tools Impacket and Fast Reverse Proxy (FRP) to establish a C2 channel over proxy.

Compromised organizations will observe C2 access in the form of successful sign-ins from unusual IP addresses. The same user account used for these sign-ins may be linked to command-line activity conducting further credential access. Microsoft will continue to monitor Volt Typhoon and track changes in their activity and tooling.

Mitigation and protection guidance

Mitigating risk from adversaries like Volt Typhoon that rely on valid accounts and living-off-the-land binaries (LOLBins) is particularly challenging. Detecting activity that uses normal sign-in channels and system binaries requires behavioral monitoring. Remediation requires closing or changing credentials for compromised accounts. Suspected compromised accounts or affected systems should be investigated:

  • Identify LSASS dumping and domain controller installation media creation to identify affected accounts.
  • Examine the activity of compromised accounts for any malicious actions or exposed data.
  • Close or change credentials for all compromised accounts. Depending on the level of collection activity, many accounts may be affected.

    Defending against this campaign

    • Mitigate the risk of compromised valid accounts by enforcing strong multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Passwordless sign-in, password expiration rules, and deactivating unused accounts can also help mitigate risk from this access method.
    • Reduce the attack surface. Microsoft customers can turn on the following attack surface reduction rules to block or audit some observed activity associated with this threat:
      • Block credential stealing from the Windows local security authority subsystem (lsass.exe).Block process creations originating from PSExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
    • Harden the LSASS process by enabling Protective Process Light (PPL) for LSASS on Windows 11 devices. New, enterprise-joined Windows 11 (22H2 update) installs have this feature enabled by default. In addition, enable Windows Defender Credential Guard, which is also turned on by default for organizations using the Enterprise edition of Windows 11.
    • Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools, techniques, and behaviors such as those exhibited by Volt Typhoon.
    • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat, or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-compromise.

    Detection details and hunting queries

    Microsoft Defender Antivirus

    Microsoft Defender Antivirus detects attempted post-compromise activity. Note, however, that these alerts can also be triggered by threat activity unrelated to Volt Typhoon. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown threats.

    • Behavior:Win32/SuspNtdsUtilUsage.A
    • Behavior:Win32/SuspPowershellExec.E
    • Behavior:Win32/SuspRemoteCmdCommandParent.A
    • Behavior:Win32/UNCFilePathOperation
    • Behavior:Win32/VSSAmsiCaller.A
    • Behavior:Win32/WinrsCommand.A
    • Behavior:Win32/WmiSuspProcExec.J!se
    • Behavior:Win32/WmicRemote.A
    • Behavior:Win32/WmiprvseRemoteProc.B

    Microsoft Defender for Endpoint

    Microsoft Defender for Endpoint alerts with the following titles can indicate possible presence of Volt Typhoon activity.

    • Volt Typhoon threat actor detected

    The following alerts may also be associated with Volt Typhoon activity. Note, however, that these alerts can also be triggered by threat activity unrelated to Volt Typhoon.

    • A machine was configured to forward traffic to a non-local address
    • Ntdsutil collecting Active Directory information
    • Password hashes dumped from LSASS memory
    • Suspicious use of wmic.exe to execute code
    • Impacket toolkit

    Hunting queries

    Microsoft 365 Defender

    Volt Typhoon’s post-compromise activity usually includes distinctive commands. Searching for these can help to determine the scope and impact of an incident.

    Find commands creating domain controller installation media

    This query can identify domain controller installation media creation commands similar to those used by Volt Typhoon.

    DeviceProcessEvents
    | where ProcessCommandLine has_all ("ntdsutil", "create full", "pro")

    Find commands establishing internal proxies

    This query can identify commands that establish internal proxies similar to those used by Volt Typhoon.

    DeviceProcessEvents
    | where ProcessCommandLine has_all ("portproxy", "netsh", "wmic", "process call create", "v4tov4")

    Find detections of custom FRP executables

    This query can identify alerts on files that match the SHA-256 hashes of known Volt Typhoon custom FRP binaries.

    AlertEvidence
    | where SHA256 in
    ('baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c',
    'b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74',
    '4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349',
    'c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d',
    'd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af',
    '9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a',
    '450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267',
    '93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066',
    '7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5',
    '389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61',
    'c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b',
    'e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95',
    '6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff',
    'cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984',
    '17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4',
    '8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2',
    'd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295',
    '472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d',
    '3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642')

    Microsoft Sentinel

    Below are some suggested queries to assist Microsoft Sentinel customers in identifying Volt Typhoon activity in their environment:

    Microsoft customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious hash indicators (related to the custom Fast Reverse Proxy binaries) mentioned in this blog post. These analytics are part of the Threat Intelligence solution and can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.

    Indicators of compromise (IOCs)

    The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protection to identify past related activity and prevent future attacks against their systems.

    Volt Typhoon custom FRP executable (SHA-256):

    • baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
    • b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
    • 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
    • c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
    • d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
    • 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
    • 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
    • 93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
    • 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
    • 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
    • c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
    • e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
    • 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
    • cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
    • 17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
    • 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
    • d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
    • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
    • 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642