Volt Typhoon | |
Other Names | BRONZE SILHOUETTE (Secureworks), Insidious Taurus (Palo Alto Networks) |
Location | China |
Date of initial activity | 2021 |
Suspected attribution | State-sponsored actor |
Motivation | Cyber Espionage and information gathering |
Associated tools | Living-off-the-land binaries, Web shells. Some of the built-in tools this actor uses are: Certutil, Impacketl, ipconfig, Mimikatz, Net, netsh, netstat, Nltest, ntdsutil, Ping, PowerShell, Systeminfo, Tasklist, Wevtutil, and wmic |
Overview
Volt Typhoon (aka BRONZE SILHOUETTE) has been active since at least 2021 and primarily targets U.S government and defense organizations for intelligence-gathering purposes. The group exploits vulnerable internet-facing servers to gain initial access and typically deploys a web shell for persistence.
Volt Typhoon has demonstrated careful consideration for operational security such as the use of living-off-the-land binaries, defense evasion techniques, and compromised infrastructure to prevent detection and attribution of their intrusion activity, and to blend in with legitimate network activity. Researchers assess with moderate confidence that Volt Typhoon is operating on behalf the People’s Republic of China. This assessment is based on victimology that aligns with PRC intelligence requirements, and tradecraft overlap with other state-sponsored Chinese threat groups tracked by researchers.
Common targets
Volt Typhoon affiliates were observed targeting the IT systems of critical infrastructure organizations in the United States, particularly in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. This also includes organizations located in both the contiguous and non-contiguous regions of the United States, such as territories like Guam. Other affected entities include smaller organizations with constrained cybersecurity resources that provide critical services to larger organizations or key geographic locations.
Attack Vectors
Volt Typhoon typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connects to the victim’s network via VPN for follow-on activities.
How they operate
Initial access
Volt Typhoon achieves initial access to targeted organizations through internet-facing devices. The threat actor attempts to leverage any privileges, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials. Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.Post-compromise activity
Once Volt Typhoon gains access to a target environment, they begin conducting hands-on-keyboard activity via the command line. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times. Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data. We describe their activities in the following sections, including the most impactful actions that relate to credential access.Credential access
If the account that Volt Typhoon compromises from the device has privileged access, they use that account to perform the following credential access activities.Collection
In addition to operating system and domain credentials, Volt Typhoon dumps information from local web browser applications. Microsoft has also observed the threat actors staging collected data in password-protected archives.Command and control
In most cases, Volt Typhoon accesses compromised systems by signing in with valid credentials, the same way authorized users do. However, in a small number of cases, Microsoft has observed Volt Typhoon operators creating proxies on compromised systems to facilitate access.MITRE ATT&CK Techniques
Initial Access
- Exploit Public-facing Application (T1190)
Execution
- Windows Management Instrumentation (T1047)
- Command and Scripting Interpreter: PowerShell (T1059.001)
- Command and Scripting Interpreter: Windows Command Shell (T1059.003)
Persistence
- Server Software Component: Web Shell (T1505.003)
Defense Evasion
- Indicator Removal (T1070)
- Indicator Removal: Clear Windows Event Logs (T1070.001)
Credential Access
- OS Credential Dumping: NTDS (T1003.003)
- Brute Force (T1110)
- Brute Force: Password Spraying (T1110.003)
- OS Credential Dumping (T1003)
- Credentials from Password Stores (T1555)
Discovery
- System Information Discovery (T1082)
- System Owner/User Discovery (T1033)
- Permission Groups Discovery: Local Groups (T1069.001)
- Permission Groups Discovery: Doman Groups (T1069.002)
- System Network Configuration Discovery (T1016)
Command and Control
- Proxy (T1090)
- Proxy: External Proxy (T1090.002)
References:
- Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
- Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations
- Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
- People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
- Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days
- PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
- Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
