What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

Volt Typhoon Activity

February 9, 2024 | 5 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On February 7th, CISA, NSA, FBI, along with Five Eyes intelligence partners, published a joint advisory related to state-sponsored threat actors from the People’s Republic of China (PRC) actively compromising U.S. critical infrastructure sectors with the intent of pre-positioning for potential disruptive or destructive cyberattacks, during crises or conflicts. This activity is attributed to the PRC threat actor group tracked as Volt Typhoon.

Industries known to be directly targeted by the group include government organizations, communications, energy, transportation, and water/wastewater. The group has been identified targeting routers and IoT devices, outside of these industries, to employ as staging points for attacks.

According to the joint report, U.S. organizations are at the most risk, but any disruptive attacks to the U.S. would directly or indirectly impact Canada. Canada, Australian, and New Zealand critical infrastructure is also likely to be at risk of similar attacks. Organizations, across impacted regions and industries, are strongly encouraged to proactively review and apply the included recommendations for defending against similar activity.

What we’re doing about it

What you should do about it

Additional information

Given the scope and scale of the reported intrusions by the FBI and Five Eyes partners, and the strategic patience, required to conduct this type of operation, eSentire Threat Intelligence assesses there is a realistic possibility this positioning by Volt Typhoon is in part a response to the August 2022 visit to Taiwan by members of the US Congress. At the time, it was widely reported that China's defense ministry stated it “will launch targeted military operations” in response to U.S. House Speaker Pelosi’s visit to Taiwan..

Volt Typhoon is a highly sophisticated threat actor group with a variety of tools and techniques that can be applied during attacks. As such, it is critical that organizations follow a defense-in-depth approach that includes Network, Endpoint, and Log monitoring to identify malicious activity. It should be noted, that unlike other Chinese APT groups that focus on data theft for espionage, Volt Typhoon is believed to be establishing long-term access to enable future destructive attacks. Information stolen by Volt Typhoon could be used to facilitate these follow-on attacks. 

The joint report includes a breakdown of attack stages and observed Volt Typhoon techniques.

Reconnaissance:

Resource Development:

Initial Access:

Execution:

Persistence:

Defense Evasion:

Credential Access:

Discovery:

Lateral Movement:

Collection and Exfiltration:

Command and Control (C2):

For additional information on all stages of Volt Typhoon activity, see the full CISA joint report.

References:

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a
[3] https://www.cisa.gov/sites/default/files/2024-02/Joint-Guidance-Identifying-and-Mitigating-LOTL_V3508c.pdf
[4] https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical
[5] https://nvd.nist.gov/vuln/detail/CVE-2022-42475
[6] https://www.esentire.com/security-advisories/cyber-threats-from-us-china-tensions

View Most Recent Advisories