Volt Typhoon APT

Volt Typhoon is a state-sponsored Advanced Persistent Threat (APT) group operating on behalf of the People's Republic of China (PRC). This group has garnered significant attention due to its focus on targeting critical infrastructure organizations within the United States and its territories. Unlike traditional cyber espionage campaigns focused on data theft, Volt Typhoon's primary objective appears to be pre-positioning for potential disruptive or destructive cyberattacks against critical infrastructure in the event of a major geopolitical crisis or conflict. This strategic objective, combined with the group's sophisticated "living off the land" techniques, makes them a particularly dangerous and challenging threat to detect and mitigate. The group's activities have prompted joint advisories from multiple US government agencies and international partners, underscoring the severity of the threat.

Origins & Evolution

Volt Typhoon was first publicly identified in mid-2021, although evidence suggests the group had been operating undetected for a considerable period before that, potentially for at least five years in some compromised networks. The group is believed to be linked to the Chinese government, specifically tasked with gaining and maintaining access to critical infrastructure networks. This attribution is based on a combination of technical indicators, targeting patterns, and intelligence assessments by multiple cybersecurity firms and government agencies.

Volt Typhoon goes by several aliases, reflecting the challenges in tracking and attributing APT groups. These aliases include:

Over time, Volt Typhoon has demonstrated an ability to adapt and evolve its tactics. While initially observed exploiting known vulnerabilities in internet-facing devices, the group has also been linked to the potential use of zero-day exploits. Furthermore, Volt Typhoon has shown a remarkable ability to rebuild infrastructure after disruptions, such as the FBI-led takedown of the KV-botnet, a network of compromised SOHO routers used by the group. This resilience and adaptability highlight the group's commitment to its objectives and the resources available to it.

Tactics & Techniques

Volt Typhoon's operations are characterized by a strong emphasis on stealth and operational security, making them particularly difficult to detect. Their hallmark tactic is "living off the land" (LOTL), which involves using legitimate system administration tools and processes already present in the target environment. This approach allows them to blend in with normal network activity and avoid triggering alerts from traditional security solutions.

Key stages of a Volt Typhoon attack include:

Targets or Victimology

Volt Typhoon's targeting pattern is highly specific and strategically significant. Their primary focus is on US critical infrastructure organizations, including:

The targeting of these sectors suggests a clear intent to pre-position for potential disruptive attacks that could have significant consequences for national security, economic stability, and public safety. Smaller organizations that provide services to larger critical infrastructure entities are also at risk, as Volt Typhoon may use them as stepping stones to reach their ultimate targets. Geographically, compromises have been confirmed in the continental and non-continental United States and its territories, including Guam. The involvement of Five Eyes partners in joint advisories suggests that other countries, including Australia, Canada, New Zealand, and the United Kingdom, may also be vulnerable. Security logging is also an important aspect to consider.

Attack Campaigns

Several notable attack campaigns have been attributed to Volt Typhoon:

Defenses

Defending against Volt Typhoon requires a multi-layered approach that combines proactive prevention, robust detection capabilities, and a well-defined incident response plan. Due to the group's reliance on "living off the land" techniques and valid accounts, traditional signature-based security solutions are often ineffective.

Key defense strategies include:

* Regularly patch and update all internet-facing systems, especially network appliances.

* Apply hardening guidance provided by vendors and security organizations.

* Maintain a comprehensive asset inventory to identify and manage all devices connected to the network.

* Limit internet exposure of management interfaces and other critical services.

* Develop a plan for managing and replacing end-of-life technology.

* Enforce strong password policies and prohibit the use of default passwords.

* Do not store credentials on edge devices or in plaintext.

* Implement multi-factor authentication (MFA) for all users and privileged accounts, preferably using phishing-resistant MFA methods.

* Separate user accounts from privileged accounts and enforce the principle of least privilege.

* Limit the number of users with elevated privileges and implement continuous monitoring of privileged account activity.

* Transition to Group Managed Service Accounts (gMSAs) where possible.

* Consider implementing Privileged Access Management (PAM) solutions.

* Implement an Active Directory tiering model to restrict access to sensitive resources.

* Harden administrative workstations and disable accounts of departing employees.

* Regularly audit user accounts and permissions.

* Improve the management of hybrid identity federation.

* Limit the use of RDP and other remote access services whenever possible.

* Disable SMBv1 and harden SMBv3.

* Apply mitigations and best practices outlined in CISA's guide on securing remote access software.

* Isolate sensitive accounts and systems from the rest of the network.

* Conduct trust assessments to identify and mitigate potential risks.

* Harden federated authentication and implement network segmentation to isolate federation servers.

* Harden cloud assets

* Revoke unnecessary public access

* Disable legacy authentication protocols

* regularly monitor and audit privileged cloud-based accounts.

* Enable comprehensive logging, including PowerShell logging, and store logs centrally for analysis.

* Establish baselines of normal network activity and user behavior to identify anomalies.

* Implement behavioral monitoring to detect activities that rely on legitimate tools and processes.

* Utilize Endpoint Detection and Response (EDR) solutions in block mode.

* Actively hunt for signs of compromise using threat intelligence, hunting queries, and IOCs.

* Change default passwords on all OT devices.

* Enforce strict access policies for OT networks.

* Segment OT networks from IT networks.

* Monitor connections to and from OT networks for unauthorized activity.

* Monitor for unauthorized controller changes.

* Lock or limit set points to prevent unauthorized manipulation.

* Develop and implement a plan for maintaining resilience in the event of a cyberattack.

* Enable logging

* Store logs centrally

* Establish a baseline of normal activity

* Document threats and TTPs

* Implement training

* Assume full domain compromise if NTDS.dit extraction is detected.

* Sever the network from the internet (or shutdown non-essential traffic).

* Reset credentials.

* Audit network appliance configurations.

* Update firmware and software.

* Report the compromise.

* Apply best practices for identity and credential access management in cloud/hybrid environments. In case of a cyber incident, having a Cyber Incident Response Plan (CIRP) is crucial. Security teams can also identify suspicious events with User and Event Behavioral Analytics (UEBA). SOAR vs SIEM vs XDR, understanding key differences are also important in incident response.

Conclusion

Volt Typhoon represents a significant and persistent threat to US critical infrastructure. The group's state-sponsored backing, strategic objectives, sophisticated techniques, and focus on stealth make them a formidable adversary. Defending against Volt Typhoon requires a proactive, multi-layered approach that goes beyond traditional security measures. Organizations must prioritize hardening their attack surface, securing credentials and accounts, implementing robust detection capabilities, and developing comprehensive incident response plans. Collaboration and information sharing between government agencies, international partners, and the private sector are crucial to effectively counter this evolving threat and protect critical infrastructure from potential disruption. Patch Management is also important for the security measures.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: