What is Volt Typhoon?

What is Volt Typhoon? A Full Recap of PRC State-Sponsored APT Group

No comments

What is Volt Typhoon?

Volt Typhoon APT is a People’s Republic of China (PRC) state-sponsored threat actor group specializing in espionage and advanced persistent cyberattacks. It has been active since Mid-2021, and is also referred to as Insidious Taurus, Vanguard Panda, Dev-0391, UNC3236, BRONZE SILHOUETTE, G1017, or Voltzite. The US government and international partners identify that this Chinese state-sponsored cyber actor group trying to infiltrate into target organization networks using stealthy Living-off-the-Land (LOTL) techniques, positions itself inside the organizations in such a way that it will be capable of conducting disruptive or destructive cyberattacks during a crisis or conflict with the United States.

Volt Typhoon Targets and Attacks

Volt Typhoon is known to target organizations in critical infrastructure and government industries in the United States and other Western countries. Some Volt Typhoon targets include organizations in the communications, energy, transportation systems, and water and wastewater systems sectors. In May 2023, Microsoft reported that the Volt Typhoon targeted critical infrastructure organizations in the United States. The affected organizations spanned the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

Volt Typhoon in February 2024 was found targeting a geographical information system (GIS) of an emergency management service for a large city in the US, used for emergency dispatch (such as law enforcement or ambulance services), as well as to help in recovery operations after a disaster. Volt Typhoon has also targeted electric utilities since 2023. Victims also include satellite and telecommunications services and a defence industrial base.

Important Volt Typhoon Advisories

Various government agencies and security firms issued cyber security advisories related to the Volt Typhoon. Let’s see some of the significant findings from different organizations regarding Volt Typhoon.

Volt Typhoon CISA Advisories

CISA has been at the forefront of identifying and publishing the nefarious activities of the Chinese Volt Typhoon group through its Cyber Security Advisories (CSA). CISA has issued three Joint Cybersecurity Advisories (CSA) concerning the Volt Typhoon activities. The initial Joint CSA was published on 24 May 2023, the second on 7 February 2024, and the third CSA was the most recent one and published on 19 March 2024.

The first CSA details how the group leverages small office/home office (SOHO) network devices as intermediary infrastructure to mask activity, as well as leverages living-off-the-land techniques and built-in network administration tools to perform objectives, as ways of obfuscating activity.

The second advisory discussed a broader toolkit for this group which includes detailed pre-compromise reconnaissance; leveraging known or zero-day vulnerabilities in public-facing network appliances to gain an initial foothold; and ultimately administrator credentials in a victim environment.

The third advisory of CISA is a fact sheet that addressed the critical infrastructure leaders with strategic-level recommendations to defend and mitigate Volt Typhoon attacks.

Volt Typhoon FBI and DOJ Actions

On 31 January 2024, FBI director Christopher Wray described the Volt Typhoon as “the threat of our generation” in a testimony at a hearing of the US House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party.

In addition, on 31 January 2024, the US Department of Justice released an announcement stating that a coordinated disruption action on its end had stopped a botnet of hundreds of SOHO devices in the US that were all infected by the KV-botnet and were all controlled by one Command-and-control. KV has been used by several threat actors.

Volt Typhoon Microsoft Advisories

Microsoft was one of the initial observers who identified that the Volt Typhoon APT group targeted US critical infrastructure using Living-off-the-Land (LoTL) techniques. On 24 May 2023, Microsoft released a detailed report on how the Chinese APT group is leveraging built-in Windows processes and services like PowerShell, WMI, LSASS, Netsh, PostProxy, etc. commands to bypass detection controls effectively.

Volt Typhoon Microsoft
Figure: Volt Typhoon Microsoft Advisory with MITRE ATTACK | Source: Microsoft

How Does Volt Typhoon Work?

Volt Typhoon is a sophisticated threat group that leverages advanced level tactics and techniques not just to infiltrate into the targeted critical infrastructure networks but also to obfuscate and evade detection mechanisms by using Living-off-the-Land (LoTL) techniques.

What is Living Off The Land (LoTL) Attack?

A so-called Living Off the Land (LOTL) attack involves the attacker abusing legitimate tools that already reside on the victim’s system to conduct and persist an attack. It has also been given other names, such as fileless malware or a LOLbins attack. In contrast to traditional malware that delivers attack code from a C2 server through a signature file executed by a host, an LOTL attack can do so without any code or script: the attacker merely instruments tools that are probably already within the target’s environment, such as PowerShell, Windows Management Instrumentation (WMI) or an open-source password-saving tool called Mimikatz.

Because LOTL attacks use native tools, it’s likely that they will be able to escape detection, provided the victim’s organisation is using legacy security tools that search for known malware such as scripts or files, and a capable attacker will be able to maintain a presence within the victim’s environment for weeks, months, or even years. Access to the environment can be gained in an ever-increasing variety of ways, including (again, this list is far from exhaustive): through a browser exploit kit; via a hijacked native tool; residents of a malicious registry; memory-only malware; ‘fileless’ ransomware; or from taking advantage of stolen credentials.

In attacks with a LOTL objective, adversaries typically hijack a legitimate tool to help them elevate privileges; move laterally to another system or network; steal or encrypt data; plant malware; enable backdoor access; or otherwise move the attack along its path. These attacks often benefit from stealthiness, which makes them difficult for security teams to detect and prevent. Additionally, because many organisations don’t deploy security best practices that support detection of LOTL, this technique is still quite effective with virtually no investment into tooling for malicious actors.

Step-By-Step Volt Typhoon Attack:

Step 1: Volt typhoon threat actors perform reconnaissance against the target organization’s people, security processes, and technology to gain the relevant information for initial access.

Step 2: Upon gathering the relevant details, the threat actors exploit the vulnerabilities in the public-facing applications to gain the initial foothold in the network.

Step 3: Then they try to sneak their way through and attempt to gain the administrator credentials on the infected machines.

Step 4: In order to identify other machines on the network and perform lateral movement, the threat actors leverage Remote Desktop Protocol (RDP) with the previously gained valid credentials.

Step 5: The attackers try to discover critical assets inside the organization and establish an RDP session with such critical assets.

Step 6: Once the critical assets inside the organization, like domain controllers, are identified, the Volt Typhoon actors attempt to extract the NTDS.dit file. NTDS.dit is the file where all the passwords are stored, but in a hashed format.

Step 7: The attackers also attempt to extract the SYSTEM registry hive. The SYSTEM registry hive, in combination with the NTDS.dit, can crack the hashed passwords so that the attacker will have the plain-text passwords of all employees of the infected organization.

Step 8: Once the Volt Typhoon APT attackers have such access to the targeted organization, they lurk inside the networks, position themselves in strategic key locations inside the organization, and stay there for years. The FBI director revealed that these threat actor groups were inside the US critical infrastructure organizations for more than five years.

What is Volt Typhoon and How Does Volt Typhoon Work?
Figure: What is Volt Typhoon and How Does Volt Typhoon Work? | Source: CISA

Vulnerabilities Targeted by Volt Typhoon

Volt Typhoon targeted vulnerabilities in products including Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA.

Volt Typhoon IOCs

  • baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
  • b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
  • 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
  • c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
  • d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
  • 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
  • 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
  • 93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
  • 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
  • 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
  • c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
  • e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
  • 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
  • cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
  • 17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
  • 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
  • d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
  • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
  • 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642
  • f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
  • ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
  • d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
  • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
  • 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7
  • 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
  • 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597
  • c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99
  • 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f
  • fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15
  • ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.

Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.

Discover more from The SOC Labs

Subscribe to get the latest posts sent to your email.

Tagged with , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *