Volt Typhoon

Initial Access: Volt Typhoon primarily gains initial access through the exploitation of vulnerabilities in internet-facing devices, particularly networking equipment like routers and firewalls from vendors like Fortinet, Ivanti Connect Secure, NETGEAR, and Citrix. They also leverage known vulnerabilities in public-facing applications. Spear-phishing, while a common tactic for many threat actors, is not a prominently reported method for Volt Typhoon.

"Living off the Land" (LotL): This is the defining characteristic of Volt Typhoon's operations. Instead of deploying custom malware, they utilize legitimate system administration tools already present on compromised systems. This includes using Windows Management Instrumentation Command-line (WMIC), PowerShell, netsh, and other built-in utilities to perform reconnaissance, move laterally, and maintain persistence. This approach makes detection significantly more challenging, as malicious activity blends in with normal system behavior. Understanding the Windows registry structure can be helpful in identifying suspicious modifications made by attackers.

Credential Access and Lateral Movement: Volt Typhoon focuses on harvesting credentials, often using built-in Windows tools to dump credentials from memory (e.g., mimicking lsass.exe behavior). They then use these credentials to move laterally within the compromised network, targeting additional systems of interest. They have been observed using Remote Desktop Protocol (RDP) and other legitimate remote access tools for this purpose.

Persistence: Volt Typhoon establishes persistence by modifying system configurations, often using scheduled tasks or manipulating registry keys. They also leverage compromised credentials to maintain access even after system reboots or password changes. They are known to install web shells on compromised servers for persistent remote access.

Command and Control (C2): Volt Typhoon uses a network of compromised small office/home office (SOHO) network devices (routers, etc.) as a proxy infrastructure to obfuscate their C2 communications. This makes tracing the origin of attacks extremely difficult. The traffic is often routed through multiple compromised devices before reaching the attackers' infrastructure.

Data Exfiltration: While data exfiltration is a likely objective, Volt Typhoon's focus has primarily been on establishing and maintaining access to critical infrastructure. Specific details about exfiltration methods are less publicly documented, likely due to the group's stealth and the difficulty in detecting their activity. However, given their use of LotL, it's probable they use standard protocols like HTTP/HTTPS or even DNS for exfiltration, blending in with normal network traffic.

Critical Infrastructure: This is the most significant aspect of Volt Typhoon's victimology. They have targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. The emphasis on communications infrastructure, particularly in Guam and other strategically important locations, is notable.

Geographic Focus: While primarily targeting the United States, Volt Typhoon has also been observed targeting organizations in other regions, including the Asia-Pacific region. The focus on Guam, a US territory with significant military installations, is a key indicator of their strategic objectives.

Political Motivations: Espionage and pre-positioning for potential disruptive or destructive cyberattacks in the event of geopolitical tensions or conflict. The targeting of critical infrastructure suggests a long-term goal of gaining access to systems that could be used to disrupt essential services.

Potential Impact: Data breaches, operational disruption, and potential for destructive attacks against critical infrastructure. The long-term access and stealthy nature of Volt Typhoon's operations raise concerns about the potential for significant damage in a conflict scenario. To understand more, it's important to know what threat intelligence is.

May 2023: Microsoft and the Five Eyes intelligence alliance released a joint advisory detailing Volt Typhoon's targeting of critical infrastructure in the United States, particularly in Guam. This advisory highlighted the group's use of "living off the land" techniques.

January 2024: CISA, NSA and FBI released a joint Cybersecurity Advisory highlighting a cluster of activity, where Volt Typhoon operators leveraged privately-owned SOHO routers infected.

February 2024: The US government, together with international partners, carried out the disruption of the "KV-botnet", made the action of removing the KV-botnet malware from the compromised routers.

Vulnerability Management: Prioritize patching of internet-facing devices, especially networking equipment, and public-facing applications. Regularly scan for vulnerabilities and apply updates promptly. A solid patch management strategy is essential.

Strong Authentication: Implement multi-factor authentication (MFA) for all critical systems and remote access services. Enforce strong password policies.

Network Segmentation: Segment networks to limit lateral movement. Isolate critical infrastructure from less critical networks.

Behavioral Monitoring: Implement security monitoring solutions that can detect anomalous behavior, such as unusual use of system administration tools, unexpected network connections, and atypical user activity. Focus on detecting the techniques used by Volt Typhoon, rather than relying solely on signatures. Consider implementing a SIEM for security information and event management.

Endpoint Detection and Response (EDR): Deploy EDR solutions that can detect and respond to malicious activity on endpoints. Look for EDR solutions with strong behavioral analysis capabilities.

Threat Intelligence: Leverage threat intelligence feeds to stay informed about the latest TTPs used by Volt Typhoon and other threat actors. Use this information to proactively adjust security controls.

Log Aggregation and Analysis: Centralize and analyze security logs from various sources, including network devices, servers, and endpoints. Look for indicators of compromise (IOCs) and unusual patterns of activity. For security monitoring, understanding essential Windows directories is helpful.

Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration tests to identify vulnerabilities and weaknesses in security posture.

Disable Unused Services and Features: Reduce the attack surface by disabling unnecessary services, features, and protocols on systems, particularly on internet-facing devices. For example, disable or restrict access to PowerShell and WMIC if they are not required for legitimate operations.

Restrict Script Execution: Implement strict script execution policies to prevent unauthorized PowerShell and other scripts from running. Utilize application control solutions to allow only approved scripts and executables.

Incident Response Planning: Develop and regularly test an incident response plan that specifically addresses the threat posed by Volt Typhoon and similar actors. A well-defined cyber incident response plan is crucial.

Global Alert PRC Cyber Espionage Campaign Targets Telecom Networks Worldwide

CISA's New Security Guidelines Guarding Telecoms From PRC Advances

Chinese State Hackers Breach BeyondTrust Enabling US Treasury Cyber Intrusion

Chinese APT Group Earth Estries Targets Critical Infrastructure with Advanced Cyber Attacks

Trend Micro Exposes Earth Estries' Advanced Cyber Espionage Campaign Across 13 Countries