Volt Typhoon
Formation | 2021 or earlier |
---|---|
Type | Advanced persistent threat |
Purpose | Cyberwarfare |
Location | |
Affiliations | Chinese government |
Volt Typhoon (also known as VANGUARD PANDA, BRONZE SILHOUETTE, Redfly, Insidious Taurus, Dev-0391, Storm-0391, UNC3236, or VOLTZITE) is an advanced persistent threat engaged in cyberespionage reportedly on behalf of the People's Republic of China. Active since at least mid-2021, the group is known to primarily target United States manufacturing, utility, transportation, construction, maritime, defense, information technology, and education sectors. Volt Typhoon focuses on espionage, data theft, and credential access.[1]
According to Microsoft, the group goes to great lengths to avoid detection, and its campaigns prioritize capabilities which enable China to sabotage critical communications infrastructure between the US and Asia during potential future crises.[1] The US government believes the group's goal is to slow down any potential US military mobilization that may come following a Chinese invasion of Taiwan.[2] The Chinese government denies the group exists.[3][4]
Names
[edit]Volt Typhoon is the name currently assigned to the group by Microsoft, and is the most widely used name for the group. The group has also been variously referred to as:[5]
- Dev-0391 (by Microsoft, initially)
- Storm-0391 (by Microsoft, initially)
- BRONZE SILHOUETTE (by Secureworks, a subsidiary of Dell)
- Insidious Taurus (by Palo Alto Networks Unit 42)
- Redfly (by Gen Digital, formerly Symantec)
- UNC3236 (by Mandiant, a subsidiary of Google)
- VANGUARD PANDA (by CrowdStrike)
- VOLTZITE (by Dragos)[6]
Methodology
[edit]According to a joint publication by all of the cybersecurity and signals intelligence agencies of the Five Eyes, Volt Typhoon's core tactics, techniques, and procedures (TTPs) include living off the land, using built-in network administration tools to perform their objectives and blending in with normal Windows system and network activities. This tactic avoids endpoint detection and response (EDR) programs which would alert on the introduction of third-party applications to the host, and limits the amount of activity captured in default logging configurations. Some of the built-in tools used by Volt Typhoon are: wmic, ntdsutil, netsh, and Powershell.[7]
The group initially uses malicious software that penetrates internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that have not been updated regularly.[8] Once they gain access to a target, they put a strong emphasis on stealth, almost exclusively relying on living-off-the-land techniques and hands-on-keyboard activity.[8]
Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they issue commands via the command line to first collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence.[1][9] Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls, and VPN hardware.[10] They have also been observed using custom versions of open source tools to establish a command and control (C2) channel over proxy to further hidden.[1][8]
In many ways, Volt Typhoon functions similarly to traditional botnet operators, taking control of vulnerable devices such as routers and security cameras to hide and establish a beachhead in advance of using that system to launch future attacks. Operating this way makes it difficult for cybersecurity defenders to accurately identify the source of an attack.[8]
According to Secureworks (a division of Dell), Volt Typhoon's interest in operational security "likely stemmed from embarrassment over the drumbeat of US indictments [of Chinese state-backed hackers] and increased pressure from Chinese leadership to avoid public scrutiny of its cyberespionage activity."[11]
According to cybersecurity researcher Ryan Sherstobitoff, "Unlike attackers who vanish when discovered, this adversary digs in even deeper when exposed".[12]
Notable campaigns
[edit]Attacks on US Navy
[edit]The US government has repeatedly detected activity on systems in the US and Guam designed to gather information on U.S. critical infrastructure and military capabilities, but Microsoft and the agencies said the attacks could be preparation for a future attack on U.S. critical infrastructure.[1]
Singtel breach
[edit]In June 2024, Singtel was breached by Volt Typhoon.[13] Following a report by Bloomberg News in November 2024, Singtel responded that it had "eradicated" malware from the threat.[14]
Disruption
[edit]In January 2024, the FBI announced that it had disrupted Volt Typhoon's operations by undertaking court-authorized operations to remove malware from US-based victim routers, and taking steps to prevent reinfection.[15]
Response from China
[edit]The Chinese government denied any involvement in Volt Typhoon and stated that Volt Typhoon is a misinformation campaign by U.S. intelligence agencies, according to state media outlet Xinhua News Agency and China's National Computer Virus Emergency Response Center (CVERC).[3][4]
References
[edit]- ^ a b c d e "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques". Microsoft. 2023-05-24. Retrieved 2024-10-09.
- ^ Antoniuk, Daryna (2024-08-27). "China's Volt Typhoon reportedly targets US internet providers using Versa zero-day". Recorded Future. Retrieved 2024-10-09.
- ^ a b "Report reveals more conspiracies behind U.S. "Volt Typhoon" misinformation campaign". Xinhua News Agency. 2024-10-15. Retrieved 2024-10-14.
- ^ a b Martin, Alexander (July 11, 2024). "Chinese cyber agency accused of 'false and baseless' claims about US interfering in Volt Typhoon research". therecord.media. Recorded Future. Retrieved 2024-10-29.
- ^ "Volt Typhoon (Threat Actor)". Fraunhofer Society. Retrieved 2024-10-09.
- ^ Hanrahan, Josh (2024-02-13). "VOLTZITE Espionage Operations Targeting U.S. Critical Systems". Dragos. Retrieved 2024-10-14.
- ^ "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection". Cybersecurity and Infrastructure Security Agency. 2023-05-24. Retrieved 2024-10-09.
- ^ a b c d Forno, Richard (2024-04-01). "What Is Volt Typhoon? A Cybersecurity Expert Explains The Chinese Hackers Targeting US Critical Infrastructure". University of Maryland, Baltimore County. Retrieved 2024-10-09.
- ^ "Volt Typhoon: Chinese State-Sponsored Actor Targeting Critical Infrastructure". Secure Blink. 2023-06-05. Retrieved 2024-10-09.
- ^ Paing Htun, Phyo; Kimura, Ai; Srinivasan, Manikantan; Natarajan, Pooja (2024-03-28). "Volt Typhoon, BRONZE SILHOUETTE, Group G1017". Mitre Corporation. Retrieved 2024-10-09.
- ^ Pearson, James; Satter, Raphael (2024-04-19). Berkrot, Bill (ed.). "What is Volt Typhoon, the Chinese hacking group the FBI warns could deal a 'devastating blow'?". Reuters.
- ^ Sabin, Sam (November 12, 2024). "Rising threat of China's Volt Typhoon". Axios. Retrieved November 12, 2024.
- ^ Robertson, Jordan; Manson, Katrina (2024-11-05). "Chinese Group Accused of Hacking Singtel in Telecom Attacks". Bloomberg News. Retrieved 2024-11-05.
- ^ "Singtel detected and 'eradicated' malware said to be from Chinese hacking group". CNA. 5 November 2024. Retrieved 2024-11-05.
- ^ "U.S. Government Disrupts Botnet People's Republic of China Used to Conceal Hacking of Critical Infrastructure". United States Department of Justice. 2024-01-31. Retrieved 2024-10-09.