Volt Typhoon Activity

THE THREAT

On February 7th, CISA, NSA, FBI, along with Five Eyes intelligence partners, published a joint advisory related to state-sponsored threat actors from the People’s Republic of China (PRC) actively compromising U.S. critical infrastructure sectors with the intent of pre-positioning for potential disruptive or destructive cyberattacks, during crises or conflicts. This activity is attributed to the PRC threat actor group tracked as Volt Typhoon.

Industries known to be directly targeted by the group include government organizations, communications, energy, transportation, and water/wastewater. The group has been identified targeting routers and IoT devices, outside of these industries, to employ as staging points for attacks.

According to the joint report, U.S. organizations are at the most risk, but any disruptive attacks to the U.S. would directly or indirectly impact Canada. Canada, Australian, and New Zealand critical infrastructure is also likely to be at risk of similar attacks. Organizations, across impacted regions and industries, are strongly encouraged to proactively review and apply the included recommendations for defending against similar activity.

What we’re doing about it

• eSentire MDR for Network and Endpoint have rules in place to detect activity associated with Volt Typhoon, including but not limited to, the KV Botnet, Mimikatz, and Impacket
• eSentire MDR for Endpoint detects Living-Off-The-Land (LOTL) techniques, including but not limited to, usage of WMIC, NTDS, Certutil, wevtutil, and nltest
• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerabilities known to be targeted by Volt Typhoon
• eSentire MDR for Log enables the proactive detection of malicious behaviors including, but not limited to, Impacket and other anomalous user activity
• Threat hunts have been performed across the eSentire client base to identify known signs of compromise
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

• Ensure all Internet-facing devices are up to date with security patches
  • Ensure security patches are deployed for vulnerabilities known to be exploited by Chinese APT groups
• Deploy an Endpoint Detection and monitoring solution to all workstations and servers
• Review networks for any End-of-Life (EoL) devices, especially routers
  • All EoL devices need to be removed from the network and replaced with modern, maintained alternatives
• Enable logging for applications, access, and security logs
• Apply the hardening measures against Living-Off-The-Land attacks as recommended by CISA, including:
  • Disabling or removing unnecessary protocols by default
  • Limiting network reachability to the extent which is feasible
  • Limiting processes and programs running with elevated privileges
• See the full joint report for additional details and recommendations

Additional information

Given the scope and scale of the reported intrusions by the FBI and Five Eyes partners, and the strategic patience, required to conduct this type of operation, eSentire Threat Intelligence assesses there is a realistic possibility this positioning by Volt Typhoon is in part a response to the August 2022 visit to Taiwan by members of the US Congress. At the time, it was widely reported that China's defense ministry stated it “will launch targeted military operations” in response to U.S. House Speaker Pelosi’s visit to Taiwan..

Volt Typhoon is a highly sophisticated threat actor group with a variety of tools and techniques that can be applied during attacks. As such, it is critical that organizations follow a defense-in-depth approach that includes Network, Endpoint, and Log monitoring to identify malicious activity. It should be noted, that unlike other Chinese APT groups that focus on data theft for espionage, Volt Typhoon is believed to be establishing long-term access to enable future destructive attacks. Information stolen by Volt Typhoon could be used to facilitate these follow-on attacks. 

The joint report includes a breakdown of attack stages and observed Volt Typhoon techniques.

Reconnaissance:

• Volt Typhoon performs extensive reconnaissance on target organizations, including both networks and staff, prior to commencing an attack
• The group is known to use FOFA, Shodan, Censys, and targeting personal email accounts during the reconnaissance phase

Resource Development:

• In observed attacks, Volt Typhoon exploits End of Life (EoL) Cisco and NETGEAR SOHO routers to use as proxies for Command and Control infrastructure
• These devices are infected with the KV Botnet malware; U.S. law-enforcement recently engaged in actions to disrupt this infrastructure

Initial Access:

• Volt Typhoon is known to exploit both known and zero-day vulnerabilities; known targeted products include Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco
• CISA makes specific reference to the known FortiGate 300D firewall vulnerability  CVE-2022-42475 

Execution:

• Once access has been established, Volt Typhoon directly interacts with victim networks via the command-line or other native tools and processes (ie. Living-Off- The-Land)
• The group has also been observed using outdated versions of network administrator tools, including comsvcs.dll
• In some cases, legitimate but non-native network administrator and forensic tools have been observed including Magnet RAM Capture (MRC) and Fast Reverse Proxy (FRP)

Persistence:

• For persistent access into compromised networks, the group relies on compromised valid credentials

Defense Evasion:

• Volt Typhoon primarily uses Living-Off-the-Land techniques for defense evasion; use of these tools enable the group to mask their malicious activity as standard network activity
• Tools such as Ultimate Packer for Executables (UPX) are used to obfuscate malware
• Additionally, Volt Typhoon has been observed clearing Windows Event Logs, system logs, and other articles to hamper investigations

Credential Access:

• User credentials are gained through a variety of different means including exploitation of public-facing appliances, insecurely stored credentials, extracting the Active Directory database file (NTDS.dit), enumerating existing stored sessions, credential dumping through LSASS, and use of the Mimikatz and Impacket tools

Discovery:

• Discovery of system information, network services, groups, and users is carried out via a combination of commercial tools: Living-Off-The-Land utilities and appliances already present in victim networks

Lateral Movement:

• Volt Typhoon primarily relies on Remote Desktop Protocol (RDP) with compromised administrator credentials to perform lateral movement
• The report notes that the group is likely capable of carrying out alternative lateral movement techniques, including Pass the Hash or Pass the Ticket

Collection and Exfiltration:

• CISA has identified Volt Typhoon exfiltrating zipped Files via Server Message Block (SMB)
• WMIC has been leveraged by Volt Typhoon to generate and use temporary directories for exfiltration

Command and Control (C2):

• For C2 communications, Volt Typhoon leverages compromised SOHO routers and Virtual Private Servers (VPS) to act as proxies for C2 traffic
• The group has also been observed leveraging FRP clients on victim networks to establish communication channels

For additional information on all stages of Volt Typhoon activity, see the full CISA joint report.

References:

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a
[3] https://www.cisa.gov/sites/default/files/2024-02/Joint-Guidance-Identifying-and-Mitigating-LOTL_V3508c.pdf
[4] https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical
[5] https://nvd.nist.gov/vuln/detail/CVE-2022-42475
[6] https://www.esentire.com/security-advisories/cyber-threats-from-us-china-tensions