Microsoft uncovered stealthy and targeted malicious activity aimed at critical infrastructure in the United States and carried out by Volt Typhoon, a state-sponsored actor based in China.
Microsoft alledges that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
The attack gains initial access to targeted organizations through Internet-facing Fortinet FortiGuard devices. From there, the attacker extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials. Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet.
The National Security Agency (NSA) has also published a Cybersecurity Advisory [PDF] which contains a hunting guide for the tactics, techniques, and procedures (TTPs) of this attack.