VOLT TYPHOON

The activity by the Chinese cyber espionage campaign known as Volt Typhoon has been a significant concern for U.S. national security. This campaign was publicly disclosed in May 2023, with U.S. officials and key allies revealing that Volt Typhoon targeted critical American infrastructure entities, including telecommunications networks and transportation hubs. This operation was a sweeping Chinese cyber-spying operation that could potentially be leveraged against the United States in a future geopolitical crisis, such as a Chinese invasion of Taiwan​​.

Volt Typhoon, also known as Vanguard Panda, is affiliated with the Chinese government and has primarily focused on espionage, aiming to gather information on U.S. critical infrastructure and military capabilities. The campaign has raised suspicions of preparing for future attacks on U.S. critical infrastructure​​.

The technical aspects of Volt Typhoon’s operations involved the use of a botnet composed of hundreds of U.S.-based small office/home office (SOHO) routers hijacked by the campaign. These routers, infected with the “KV Botnet” malware, were used to conceal the origins of further hacking activities directed against U.S. and other foreign critical infrastructure. The campaign utilized living-off-the-land techniques (LOLBins) and valid accounts to maintain unauthorized access to target networks, making detection and mitigation challenging​​​​.

The Department of Justice and the FBI took action against this threat by disrupting the botnet in a court-authorized operation in December 2023. This operation involved removing malware from compromised U.S. routers and taking steps to prevent reinfection. The majority of these routers were end-of-life devices made by Cisco and Netgear, which were no longer supported with security patches or updates​​.

Mitigation and protection against such sophisticated campaigns require a comprehensive approach. Organizations are advised to enforce strong multi-factor authentication (MFA) policies, reduce their attack surface by ensuring management interfaces are not exposed to the public internet, and investigate suspected compromised accounts or affected systems​​.

The U.S. and its allies’ response to Volt Typhoon reflects a growing concern over state-sponsored cyber activities and the need for enhanced cybersecurity measures to protect critical infrastructure. The collaborative efforts to disrupt this campaign demonstrate the commitment to countering malicious cyber operations that threaten national security.

Overview

VOLT TYPHOON, identified as a state-sponsored cyber actor from the People’s Republic of China, has been active since at least 2021. This group focuses on espionage and information gathering, primarily targeting critical infrastructure sectors in the United States and Guam. VOLT TYPHOON is noted for its stealth operations, employing living-off-the-land (LOTL) techniques and hands-on-keyboard activity to evade detection and blend in with normal system and network activities.

Tactics, Techniques, and Procedures (TTPs)

• Initial Access: VOLT TYPHOON gains initial access through internet-facing Fortinet FortiGuard devices, exploiting vulnerabilities and leveraging privileges to extract credentials and authenticate to other devices within the network​​.
• Credential Access: They attempt to dump credentials from the Local Security Authority Subsystem Service (LSASS) and use tools like Ntdsutil.exe to create installation media from domain controllers containing usernames and password hashes​​.
• Discovery and Collection: The group discovers system information and other systems on the network using tools like PowerShell, WMIC, and ping commands. They dump information from local web browser applications and stage data in password-protected archives​​.
• Command and Control (C2): VOLT TYPHOON creates proxies on compromised systems using the netsh portproxy command and employs custom versions of open-source tools like Impacket and Fast Reverse Proxy (FRP) for establishing C2 channels​​​​.
• Use of SOHO Devices: To enhance stealth and obfuscate their activities, VOLT TYPHOON proxies network traffic through compromised Small-Office-Home-Office (SOHO) devices from various manufacturers​​.
• Living Off the Land: The actor utilizes tools already installed or built into the target’s system to evade detection, including the execution of known Volt Typhoon Fast Reverse Proxy binaries​​​​.

Indicators of Compromise (IOCs)

The group’s operations have been linked to the exploitation of specific vulnerabilities, such as CVE-2021-40539 and CVE-2021-27860, and have utilized various command-line strings, hashes, and file paths​​. For detection and threat hunting, the NSA and partner agencies recommend monitoring for the execution of these known binaries and commands, as well as ensuring the integrity of logs and looking for signs of log clearing or unusual IP addresses for sign-ins​​.

Mitigation and Recommendations

Organizations are advised to monitor and secure internet-facing devices, update SOHO devices with the latest security patches, and disable external facing access where possible. Logging and monitoring of command execution and WMI events are crucial, along with applying the detection and hunting guidance provided in the cybersecurity advisory​​​​.

Key Findings and Associations:

• APT Groups: Volt Typhoon has been linked with other Chinese state-sponsored cyber groups, including APT15 (BackdoorDiplomacy), APT41 (Wintti, Double Dragon, Amoeba), and APT27. These groups have engaged in a mix of espionage and financially motivated operations, targeting a broad range of sectors globally​​.
• Cyber Espionage and Infrastructure Targeting: The group’s activities have been largely focused on espionage, aiming to maintain access to compromised systems for as long as possible without detection. Their operations have spanned across critical sectors including communications, manufacturing, utility, transportation, and government​​.
• Operational Techniques: Volt Typhoon’s operational security is noted for its emphasis on stealth, utilizing botnets and living-off-the-land techniques to evade detection. They have exploited vulnerabilities in devices from manufacturers like Cisco, ASUS, and NETGEAR, among others​​​​.
• Botnet Activities and FBI Actions: The FBI has targeted Volt Typhoon’s botnet infrastructure in a sting operation, highlighting the group’s evolving threat and the U.S. government’s increasing focus on countering cyber espionage and crime​​.

Conclusion

VOLT TYPHOON’s sophisticated tactics emphasize the importance of a comprehensive security posture that includes robust monitoring, the application of patches, and the hardening of network devices against unauthorized access. Awareness of the group’s methods and IOCs is vital for the defense against and mitigation of potential threats posed by this actor.

PDF Format For Download: