Volt Typhoon: Hiding in Plain Sight

What is Volt Typhoon?

Volt Typhoon, a Chinese state-sponsored threat actor, is utilizing stealth techniques to conduct cyber espionage operations against government and other critical infrastructure organizations. In recent attacks, Volt Typhoon has leveraged application or server-side exploitations to gain initial access into a victim’s network. By using built-in network administration tools and conducting hands on keyboard interactions, Volt Typhoon successfully masks their activities as routine system and network operations to evade detection.

Volt Typhoon Background

Active since mid-2021, Volt Typhoon (a.k.a. Insidious Taurus, Bronze Silhouette, and VANGUARD PANDA) has conducted espionage operations against targets in the United States and Guam. In their most recent campaigns, they are targeting organizations in communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Stealing classified information and intellectual property from organizations in these industries supports the Chinese government’s overall agenda. In a recent report, Microsoft assessed Volt Typhoon’s current campaigns were in pursuit of developing capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

Attack Details

The recurring attack pattern of Volt Typhoon begins with initial access via exploitation of public-facing devices or services, such as ManageEngine ADSelfService Plus via CVE-2024-40539 (file upload attack) and FatPipe WARP, IPVPN, MPVPN via CVE-2027-27860 (remote code execution). Compromised small office/home office (SOHO) devices are used by the attackers to proxy communications to and from the affected networks. Volt Typhoon employs the comparatively uncommon practice of leveraging preinstalled utilities for most of their victim interactions. Evidence even suggests the commands are issued in an interactive, hands-on-keyboard way, eschewing mass scripted commands for behaviors such as host and network discovery that are common for other attackers using living-off-the-land methods of interaction. This combination of behaviors makes detection especially difficult as defenders must be able to differentiate between attacker activities and those of power users or administrative staff.

Once established on the victim network, the attacker performs discovery activities with many well-known host utilities – net, netstat, systeminfo, tasklist, and others. Volt Typhoon attempts to harvest credentials in a number of ways. In addition to hunting for passwords in plaintext via commands like “dir” and with registry queries, they have also sought domain credentials by copying the ntds.dit file, using “vssadmin” and “ntdsutil” to make copies of the file system. Analysis of some attacks shows the employment of rundll32 to initiate a Local Security Authority Subsystem Service (LSASS) memory dump with the comsvcs.dll MiniDump function. Any valid credentials harvested via these methods are used later for privilege escalation, persistence, and lateral movement across the network.

Volt Typhoon makes use of cmd, PowerShell, and Windows Management Instrumentation Command line (WMIC) for local execution of commands; remote execution is affected with PsExec and, in a departure from the typical living-off-the-land methods, wmiexec.py, a module from the Impacket post-exploitation toolkit. The attackers also set up proxies on the victim machines, usually with the netsh portproxy functionality, though they have been documented occasionally using customized versions of the EarthWorm and Fast Reverse Proxy (FRP) proxy tools. Data is collected with common user-level commands and staged with tools such as 7zip and WinRAR. Volt Typhoon has also been shown to be studious when it comes to cleaning up after itself by removing Windows Event Logs, system and application log files, and downloaded or created files.

Custom ToolKit

As outlined above, Volt Typhoon is a committed living-off-the-land threat actor, though it has used purpose-built malicious tooling as well. In addition to the Impacket usage for some remote execution behavior, they have been observed using Mimikatz, a very well-known and popular tool for dumping Windows credentials, among other uses. As previously mentioned, Volt Typhoon has used modified versions of two open source proxy tools: EarthWorm and Fast Reverse Proxy. There have also been occasions where the attackers have positioned web shells on compromised public-facing infrastructure. Some of these web shells appear to be derived from the C#-based Awen web shell, others are written in Java.

Volt Typhoon Risks and Implications

Volt Typhoon poses a threat to national security and critical infrastructure organizations. Operating with remarkable stealth and utilizing advanced techniques, Volt Typhoon will likely continue to conduct cyber espionage attacks against U.S. critical infrastructure in support of the Chinese government’s broader agenda. Given the potential consequences of their actions, it is crucial for government and critical infrastructure organizations to remain vigilant against Volt Typhoon’s activities. Improved threat detection, monitoring, and response capabilities are necessary to effectively counter their stealthy and evolving tactics. Collaborative efforts among international partners and security communities can also enhance information sharing and facilitate timely responses to mitigate the impact of Volt Typhoon’s cyber espionage campaigns.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the security operations center (SOC) and Security Engineering team to implement any relevant detections. The CTI team will post any future updates via ZTAP Bulletins and on the Critical Start Intelligence Hub.

References: