Volt Typhoon
| Formation | 2021 or earlier |
|---|---|
| Type | Advanced persistent threat |
| Purpose | Cyberwarfare |
| Location | |
| Affiliations | Chinese government |
Volt Typhoon (also known as BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, Storm-0391, UNC3236, VANGUARD PANDA, or VOLTZITE) is an advanced persistent threat engaged in cyberespionage on behalf of the People's Republic of China. Active since at least mid-2021, the group is known to primarily target the United States manufacturing, utility, transportation, construction, maritime, defense, information technology, and education sectors. Volt Typhoon focuses on espionage, data theft, and credential access.[1]
According to Microsoft, the group goes to great lengths to avoid detection, and its campaigns prioritize capabilities which enable China to sabotage critical communications infrastructure between the US and Asia during potential future crises.[1] The US government believes the group's goal is to slow down any potential US military mobilization that may come following a Chinese invasion of Taiwan.[2]
Names
[edit]Volt Typhoon is a name assigned by Microsoft, and is the most widely used name for the group. The group is also variously known as:
- BRONZE SILHOUETTE (by Secureworks, a subsidiary of Dell)
- Dev-0391
- Insidious Taurus
- Storm-0391
- UNC3236 (by Mandiant, a subsidiary of Google Cloud)
- VANGUARD PANDA
- VOLTZITE[3]
Methodology
[edit]According to a joint publication by all of the cybersecurity and signals intelligence agencies of the Five Eyes, Volt Typhoon's core tactics, techniques, and procedures (TTPs) include living off the land, using built-in network administration tools to perform their objectives and blending in with normal Windows system and network activities. This tactic avoids endpoint detection and response (EDR) programs which would alert on the introduction of third-party applications to the host, and limits the amount of activity captured in default logging configurations. Some of the built-in tools used by Volt Typhoon are: wmic, ntdsutil, netsh, and Powershell.[4]
The group initially uses malicious software that penetrates internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that haven’t been updated regularly.[5] Once they gain access to a target, they put a strong emphasis on stealth, almost exclusively relying on living-off-the-land techniques and hands-on-keyboard activity.[5]
Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they issue commands via the command line to first collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence.[1][6] Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls, and VPN hardware.[7] They have also been observed using custom versions of open source tools to establish a command and control (C2) channel over proxy to further hidden.[1][5]
In many ways, Volt Typhoon functions similarly to traditional botnet operators, taking control of vulnerable devices such as routers and security cameras to hide and establish a beachhead in advance of using that system to launch future attacks. Operating this way makes it difficult for cybersecurity defenders to accurately identify the source of an attack.[5]
According to Secureworks (a division of Dell), Volt Typhoon's interest in operational security "likely stemmed from embarrassment over the drumbeat of US indictments [of Chinese state-backed hackers] and increased pressure from Chinese leadership to avoid public scrutiny of its cyberespionage activity."[8]
Notable campaigns
[edit]Attacks on US Navy
[edit]The US government has repeatedly detected activity on systems in the US and Guam designed to gather information on U.S. critical infrastructure and military capabilities, but Microsoft and the agencies said the attacks could be preparation for a future attack on U.S. critical infrastructure.[1]
Disruption
[edit]In January 2024, the FBI announced that it had disrupted Volt Typhoon’s operations by undertaking court-authorized operations to remove malware from US-based victim routers, and taking steps to prevent reinfection.[9]
References
[edit]- ^ a b c d e "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques". Microsoft. 2023-05-24. Retrieved 2024-10-09.
- ^ Antoniuk, Daryna (2024-08-27). "China's Volt Typhoon reportedly targets US internet providers using Versa zero-day". Recorded Future. Retrieved 2024-10-09.
- ^ "Volt Typhoon (Threat Actor)". Fraunhofer Society. Retrieved 2024-10-09.
- ^ "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection". Cybersecurity and Infrastructure Security Agency. 2023-05-24. Retrieved 2024-10-09.
- ^ a b c d Forno, Richard (2024-04-01). "What Is Volt Typhoon? A Cybersecurity Expert Explains The Chinese Hackers Targeting US Critical Infrastructure". University of Maryland, Baltimore County. Retrieved 2024-10-09.
- ^ "Volt Typhoon: Chinese State-Sponsored Actor Targeting Critical Infrastructure". Secure Blink. 2023-06-05. Retrieved 2024-10-09.
- ^ Paing Htun, Phyo; Kimura, Ai; Srinivasan, Manikantan; Natarajan, Pooja (2024-03-28). "Volt Typhoon, BRONZE SILHOUETTE, Group G1017". Mitre Corporation. Retrieved 2024-10-09.
- ^ Pearson, James; Satter, Raphael (2024-04-19). Berkrot, Bill (ed.). "What is Volt Typhoon, the Chinese hacking group the FBI warns could deal a 'devastating blow'?". Reuters.
- ^ "U.S. Government Disrupts Botnet People's Republic of China Used to Conceal Hacking of Critical Infrastructure". United States Department of Justice. 2024-01-31. Retrieved 2024-10-09.