Microsoft said that the hackers, codenamed Volt Typhoon, have been in operation since mid-2021. By exploiting vulnerabilities in internet-facing Fortinet FortiGuard devices that admins never patched, the attackers are able to extract credentials to a network’s Active Directory, and use the data to infect other devices on a network.
“Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers),” Microsoft wrote. “Microsoft has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the Internet.”