Volt Typhoon is an imminent danger to U.S. critical infrastructure. Microsoft-CISA: The China sponsored APT is pursuing development of capabilities that could disrupt critical communications infrastructure between US and Asia

Volt Typhoon, a state-sponsored actor based in China, is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. Microsoft cybersecurity experts denounce it. The APT, that typically focuses on espionage and information gathering, attacked networks across U.S. critical infrastructure sectors. According the U.S. Cybersecurity and Infrastructure Security Agency (CISA), one of it’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell.