Skip to content
April 12, 2024
15 min read time

Threat Hunting Report: Volt Typhoon

Executive Summary

The purpose of this report is to document the current form and methodologies used by the Volt Typhoon threat actor. The information documented is then used by Cyber Security Associates Ltd (CSA) Cyber Analysts to detect and hunt for the threat within the client environment through the use of our supported SIEM’s BorderPoint, Microsoft Sentinel and LogRhythm and advise on counter measures to monitor and detect for the subject threat.

This report documents the threat group Volt Typhoon and their TTPs (Tactics, Techniques and Procedures). Containing recommendations to help detect and mitigate the threat. The report also includes references where information within this report was identified from.

Tactics, Techniques & Procedures

Tactics, Techniques, and Procedures (TTPs) describes the actions, behaviours, processes and strategies used by malicious adversaries that engage in cyber-attacks.

Tactics will outline the overall goals behind an attack, including the strategies that were followed by the attacker to implement the attack. For example, the goal may be to steal credentials. Understanding the Tactics of an adversary can help in predicting the upcoming attacks and detect those in early stages.

Techniques will show the method that was used to engage in the attack, such as cross-site scripting (XSS), manipulation through social engineering and phishing, to name a few. Identifying the Techniques used during an attack can help discover an organisation’s blind spots and implement countermeasures in advance.

Procedures will describe the tools and methods used to produce a step-by-step description of the attack. Procedures can help to create a profile for a threat actor or threat group. The analysis of the procedures used by the adversary can help to understand what the adversary is looking for within their target’s infrastructure.

Analysts follow this methodology to analyse and define the TTPs to aid in counterintelligence. TTPs that are described within this research are based of the information which CSA analysts have been able to identify prior to the release of this document. The threat may change and adapt as it matures to increase its likelihood of evading defence.

 

Introduction

The digital world is a battleground for ever changing threats. Recent years have seen a rise in the sophistication of state-sponsored hackers, who may now target entire towns and inflict substantial economic harm. This report raises awareness about Volt Typhoon, a particularly dangerous class of hazards. It is thought that the Chinese government is actively supporting Volt Typhoon's entry into the US. notably starting around the middle of 2021. It takes careful preparation, cunning strategy, the potential for spoilers, and heightened awareness. The tactics used by Volt Typhoon will be thoroughly examined in this threat report, along with the exploited vulnerabilities and particular mitigation techniques to bolster the security of vital operators.

Volt Typhoon's design is both ingenious and unsettling. They deliberately exploit known weaknesses in network equipment, particularly those utilized by Internet-monitoring systems, to get a footing in the infrastructure, as opposed to using brute force attacks that could set off an alarm. Living off the land is a more subdued method that they are adopting instead. They carry out malicious actions by utilizing authorized tools and pre-existing systems. For instance, the system administration scripting language PowerShell can be used to steal administrator credentials or deceitfully conceal details about network configurations and linked devices. This makes it extremely challenging to identify them because their actions are like routine system maintenance or network operations.

They pick their targets carefully utilizing adaptable tools, and precisely exploiting vulnerabilities, Volt Typhoon decreased the amount of digital footprint they could sustain over time in the system by mapping out network vulnerabilities and obtaining intelligence that was valuable. This leads to developing dangerous code or backdoors that can be remotely activated at a crucial time, resulting in chaos and significant financial harm.

Volt Typhoon highlight the urgent need for stricter cybersecurity regulations and heightened awareness in all vital businesses. The American government released alerts, advising operators to address vulnerabilities right away, add multifactor authentication and keep a close eye on network activity for unusual activities. The country cannot successfully minimize the risks posed by this sophisticated and potentially fatal threat unless government agencies, the corporate sector and cybersecurity specialists work together.

Mitre Att&ck

MITRE developed the Adversarial Tactics, Techniques and Common Knowledge framework (ATT&CK), which is used to track various techniques attackers use throughout the different stages of cyberattack to infiltrate a network and exfiltrate data.
The framework defines the following tactics that are used in a cyberattack:

  • Initial Acces
  • Execution
  • Persistence
  • Privilege Escalation
  • Defence Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control

Scope

This report explores the cyber threats posed by Volt Typhoon. The main goal is to examine their function and the extent of the threat they represent to vital infrastructure. There will be an overview of the technical proficiency, favoured methods and instruments, as well as trends. It's critical to comprehend these procedures to recognize possible assaults that may occur in the future and create efficient mitigation plans.

A thorough analysis of the Volt Typhoon with a focus on sectors and areas will take place. This entails breaking up their attack routes, choosing the best ways to get in first, and continuing to operate covertly in systems (even through ground operations). This report will look at how important services can be interrupted exposing the seriousness of the threat and it will also show the methodologies used such as, data extraction, network component transfers and creating long-term plans.

Half the battle is won when one understands the threat. The paper aims to offer developers targeted tips on bolstering their cybersecurity defences against Volt Typhoon. Although the scope acknowledges the necessity for cooperation, the report will describe best practices for patching vulnerabilities, putting multifactor authentication into place and closely observing network traffic for behaviours that seem unclear. Finally, this threat report will examine the ways in which comprehensive security policies can be developed through information sharing across government agencies, the corporate sector and cybersecurity experts.

Stages of the attack

 

Reconnaissance

Volt Typhoon does not act irrationally. Before striking, they meticulously learn as much as possible about their target through a procedure known as reconnaissance. This lowers the likelihood of detection and enables them to customize their attacks for optimal impact.

They map target organizations' networks using a range of approaches. They search the Internet extensively, looking for any information they can uncover regarding the victim organization. This includes looking through the company's website and any hacked sites that might be connected to the victim. Finding any publicly accessible information on the network infrastructure, such as exposed systems or outdated software that could be exploited as a vulnerability is their aim.

Additionally, they employ specialized tools including FOFA, Shodan, and Censys in addition to web search. These software’s function similarly to Internet of Things (IoT) connected devices and detectors. Volt Typhoon can discover Internet-monitoring devices on the target organization's network by probing these sessions; this could disclose security flaws or configuration errors that could be used as an early intrusion method.

Part of the Volt Typhoon research phase that is equally vital is comprehending the human dimension. They target important network and IT personnel that oversee and administer vital infrastructure using their personal emails. Through the compromise of these private emails, Volt Typhoon can obtain credentials, take advantage of flaws in specific devices, or employ social engineering strategies to influence these people who have been given access to target networks.

All in all, Volt Typhoon can create a complete image of the organization it is aiming for. They learn more about the network infrastructure, spot possible weak points and even give a list of important personnel who might be involved in an assault. More focused and intelligent attacks are made possible by this micro-intelligence, which also lowers the likelihood of early detection and raises the likelihood of success.

Initial Access

Gaining a foothold within the target network is critical for Volt Typhoon's operations. They employ a multi-layered approach to achieve this initial access, demonstrating both efficiency and a capacity for exploiting cutting-edge vulnerabilities.

Volt Typhoon usually gives priority to vulnerabilities in older network equipment. These are monitoring Fortinet firewalls, NETGEAR devices, Citrix systems, Cisco devices and Ivanti (formerly Pulse Secure) secure login products. These frequently used functionalities across all essential industries are implemented by making exploit code for known vulnerabilities publicly available.

Their abilities go beyond taking use of known flaws. Volt Typhoon has demonstrated its ability to locate and take advantage of zero-day vulnerabilities. These hitherto undiscovered flaws in software have not yet been addressed by providers, and their effective implementation demands a high degree of skills. This demonstrates the enhanced capabilities of the Volt Typhoon suite and indicates wider attack paths, which may allow them to get by current security measures.

A particular instance of verified contracting offers insight into the Volt Typhoon's architecture. Researchers think they were able to get early access by taking advantage of a Fortinet 300D firewall vulnerability (CVE-2022-42475) without patching it. A buffer overflow attack in Secure Sockets Layer (SSL)-VPN has been observed, according to an analysis of firewall crash incidents. In these attacks, the program is overloaded with data, which may provide attackers the ability to run malicious code. This illustration demonstrates the emphasis on taking advantage of holes in firewalls and other perimeter defences with a particular focus on VPN usage vulnerabilities.

After it is established, Volt Typhoon gives top priority to keeping a steady route inside the network and establishing a Virtual Private Network (VPN) session is the most popular method. VPNs offer safe, encrypted tunnels for connectivity from a distance and Volt Typhoon creates a reliable and covert method of accessing the victim network by launching a VPN session. This provides them with an impregnable foothold and enables them to integrate smoothly with an appropriate remote access system, reducing the likelihood that their actions may set off an alarm. This strategy demonstrates the Volt Typhoon's intent to stay in the victim's network long enough to carry out more disruptive attacks that can be planned.

Execution

Volt Typhoon uses specialised drives and employs "living off the ground" (LOTL) tactics instead of the more overt post-compromise virus. This tactic depends on leveraging the previous version of the targeted systems to install the necessary tools and procedures. Imagine the Volt Typhoon using system utilities or administrative tools—programs that are essential to IT professionals—maliciously again. These instruments, which are often called "LOLBins," end up serving as their armoury. Additionally, industry studies show that Volt Typhoon employing LOLBin can occasionally seem alluring, with attackers constantly modifying their orders to accomplish their objectives.

Moreover, Volt Typhoon already exhibits a deliberate desire to take advantage of security holes in common network management tools, even beyond LOTL. In the documented compromise, for instance, the attackers downloaded an older, potentially more exploitable version of the standard Microsoft library file "comsvcs.dll" [T1105] and then purposefully uploaded a DLL file that expired, dumping an unusual folder on a crucial domain controller on the victim's network. The attacker then used this unsuitable and vulnerable DLL file, the process ID of a Core Windows security policy (Local Security Authority Subsystem Service, or LSASS), and a system diagnostic tool named "MiniDump" to acquire a modified memory dump [T1003] performed the task. This memory leak is not a coincidental incident; it most likely includes hashed login information from this system.

Even more capabilities are included in the Volt Typhoon package, such as forensic and network management tools, albeit these are not necessary. Their Magnet RAM Capture (MRC) version 1.20, which is utilised on hacked domain controllers, is one example given. Unlike conventional malware, MRC is a freely available programme that doesn't always trigger unique security alerts. In the wrong hands, though, it may be a very potent weapon. MRC essentially produces a digital image of everything that is currently installed on a computer by taking a full image of the memory.

Volt Typhoon can search through this enormous volume of in-memory data for potentially sensitive information that would not be easily accessible on the system's hard drive thanks to the usage of MRC. Temporary files, stored login credentials, or network data passing via memory are examples of this, but not yet written to disk. This ability to use the right tools for malicious purposes highlights the growing nature of cyberattacks and the need for security strategies that go beyond just detecting traditional malware signatures.

Lastly, Volt Typhoon observes the placement of hidden commands and controls within the designated network through the usage of Fast Reverse Proxy (FRP) devices. Through their primary role as mediators, these FRP devices enable indirect communication between the Volt Typhoon and penetration systems. The complexity increases, making it more challenging for defences to identify their activities and eliminate their capabilities.

Defence Evasion

Operational Security (OpSec) is given top priority by Volt Typhoon in order to preserve a stealth zone between compromised networks. Living off the Land (LOTL) is a fundamental component of their program. The utilization of current instruments and methods is necessary for this process. Volt Typhoon is a malicious application that combines ordinary applications with regular network applications to circumvent security restrictions.

Malware with malicious intent may likewise be employed, but precautions will be taken to hide its existence. In one instance, the command-line port scanning program was used to purposefully confound (masked) the names of malicious files. It is challenging for security software to classify the files as dangerous because of the confusion.

Moreover, Volt Typhoon employs client applications for Fast Reverse Proxy (FRP) to facilitate encrypted communications within compromised networks. For versatility, this FRP implementation offers data compression, encryption, and many protocol options. The data that has been error-checked and may be anonymous is sent using the Kuai connection protocol (KCP). Secure communication between hacked systems and attackers is guaranteed by this combination.

Beyond bewilderment and LOTL, Volt Typhoon intentionally removes any evidence of their presence. It has been noted that text has been chosen from logs and other technical sources. They can remain hidden and evade detection because to their meticulous log-clearing. Additionally, they use innocent-looking characters in filenames to raise suspicions.

Credential Access

Following their initial network infiltration, Volt Typhoon actors prioritize acquiring credentials to escalate privileges and expand their reach within the victim's network. Their tactics here are multifaceted.

Volt Typhoon's main targets are citizen-monitoring network devices. They can obtain access to certificates kept on the device itself by taking advantage of flaws in these devices' network services or operating system. These certificates may be insecure, issued by default, or even just concealed, which would make it straightforward for the Volt Typhoon to increase its rights and be abused (CVE-2022- 42475). This arrangement demonstrated the significance of appropriate certificate security procedures by enabling them to take advantage of ostensibly incorrectly stored domain administrator accounts immediately on the device.

An essential victory for Volt Typhoon is being able to access the Active Directory database file (NTDS.dit). For every domain account, this file contains the username, hash password and group membership. Volt Typhoon effectively has the master key to the entire domain if they can use advanced methods to crack these hash passwords offline, allowing them to fully compromise. Here, Volt Typhoon's tenacity is demonstrated by accounts of people who continually erase NTDS.dit from victims over an extended period of time in order to acquire this vital data.

Volt Typhoon analytics goes beyond Active Directory and network devices. They have occasionally been observed corresponding with PuTTY, a well-known remote access software [T1012]. This exchange raises the possibility that vulnerabilities in PuTTY's assembly information storage system have been found and taken advantage of. Volt Typhoon can access PuTTY profiles containing credentials from critical systems on the victim's network if these sessions contain clear text passwords for proxy servers used in remote operations.

Lateral Movement

 

Volt Typhoon meticulously construct its backups on infiltrated networks, mostly depending on pilfering authentic administrator credentials to obtain access to more systems. Remote Desktop Protocol is their preferred tool (RDP) [T1550]. But their possibilities are substantially expanded by a full grasp of the on-premises Microsoft Active Directory environment, as explained in the section on Certificate Access. With complete access to Active Directory, techniques like "Pass the Hash" and "Pass the Ticket" can be used to totally get around normal authentication.

Following the first entry, the attackers used the admin credentials they had stolen to create a virtual private network (VPN) connection and then used the same credentials to switch to a remote desktop session (RDP), however this theft was ineffective. Their concentration on the domain controller is especially concerning because it probably served as a gold mine of additional zone credentials, greatly enhancing their access privileges. Activities completed that strongly recommend data collection and removal will be covered in greater detail in the sections on discovery and collection and removal.

The most dangerous element of this attack is the Volt Typhoon’s access to the vCenter server. This subtlety informs the calculated system and can simulate efforts to target operational technology (OT) assets. Physical proximity of this OT property to the vCenter server raises red flags.

Further controversy arose when researchers observed the attackers interacting with the PuTTY application on the vCenter server. In particular, the already archived sessions would be carefully counted. If this assembly is successfully certified, this will give Volt Typhoon a gold mine – potential access to a variety of important PuTTY profiles that can scale critical Profile infrastructure components such as water treatment, damaging or tampering with water wells, substations, required OT systems and critical network protection equipment structures to create or provide unlimited access, which could cause serious harm and damage water and wastewater macro-processing. This case underscores the critical importance of enforcing strong credential protection practices and implementing network classification mechanisms to prevent rights of parties from moving and to decentralize capacity.

Conclusion

The emergence of Volt Typhoon as a sophisticated cyber threat highlights the importance of a more coordinated and robust cybersecurity plan. This report goes into the details of the different methodologies of Volt Typhoon, emphasising the importance of comprehensive mitigation strategies and collaboration among the government, corporate sectors and cybersecurity professionals, as well as The recommendations which include rigorous patching, robust certificate sec and detection system. As we explore the digital battleground, the analysis of Volt Typhoon serves as a timely reminder of the importance of vigilance, innovation and collaborative action in protecting our critical infrastructure from evolving cyber threats.

Mitigations

To obtain access to OT/ICS systems, external attackers are increasingly focusing on supply chain vulnerabilities. This implies that a vendor or partner's seemingly unrelated contract may cause your essential procedures to lag. An industrial control software provider could, for instance, provide a backdoor in their product that allows hackers to get direct access to your OT/ICS environment.

Many organizations inside erroneously depend on conventional IT security solutions to safeguard their OT/ICS infrastructures. But in contrast to IT systems, these systems frequently have different functionalities and requirements. For instance, some IT security rules are incompatible with OT/ICS systems because they give priority to real-time activities above security upgrades.

Furthermore, there is a serious lack of cybersecurity experts in OT/ICS. There is a severe scarcity of skills in cybersecurity worldwide and in OT/ICS, the gap is much more pronounced than in general IT security. It is challenging to secure OT/ICS, implement and maintain strong policies due to this ignorance.

Worse, there's a chance of dominoes falling when IT and OT/ICS systems meet. OT/ICS systems are more vulnerable when IT security technologies, including Endpoint Detection and Response (EDR), malfunction. An IT security breach can spread swiftly, jeopardize vital OT/ICS infrastructure and result in disastrous consequences. A successful OT/ICS assault might cause large financial losses during the difficult and drawn-out recovery procedure. A malfunction in mechanical activity at a manufacturing facility, water treatment facility, or power plant can have long-term consequences for the whole economy.

The combination of these difficulties emphasizes how urgently OT/ICS cybersecurity needs to adopt a more sophisticated strategy. It is a surefire way to fail to just throw money at typical security solutions without taking into account the unique requirements of OT/ICS regions. Recognizing the objectives and constraints of OT/ICS systems and putting forth workable solutions to strengthen their safety posture are necessary steps towards the future.
Following recommendations are suggested to protect your data assets against Volt Typhoon:

    • Updates and Patching: It's crucial to apply updates to operating systems, apps and particularly gadgets that continuously scan the Internet. As stated in the report, fix serious vulnerabilities (CVE-2022-42475) right away. The available space is drastically decreased by sealing these gaps.

 

    • Robust Certificate Security: Establish a robust password policy with strong directives and few character requirements. It may be necessary to use multifactor authentication (MFA), particularly for privileged accounts and administrative access. To increase overall certificate integrity, steer clear of storing sensitive data in plain text and think about utilizing password managers instead.

 

    • Hardening Active Directory: Divide your network so as not to impose restrictions on users' ability to access the domain controller for Active Directory. Utilize the principle of least privilege and limit the amounts of superfluous privileges granted to user accounts. Keep an eye out for unusual activity, such as attempts to access or modify the NTDS.dit file, and actively monitor and audit AD services.

 

    • Endpoint Detection and Response: Put in place an EDR system that keeps an eye on system activity and alerts users to any unusual activity. These tools can be used to detect irregularities related to LOTL methods, such as questionable use of legitimate values or unapproved scripting activity.

 

    • Network Traffic Monitoring: Put systems in place to keep an eye on and examine network traffic in order to spot unusual activity. Keep an eye out for any connections to unidentified servers or dubious attempts at data transfer that might point to attempts at data extraction.

 

    • Security Awareness Training: Continually instruct staff members on cybersecurity best practices, such as recognizing social engineering techniques and being mindful of phishing attempts. Inform users of the value of creating secure passwords and warning them not to open unknown attachments or emails.

 

    • Security Information and Event Management (SIEM): Use Security Information and Event Management (SIEM) systems to gather data and examine logs from different network security technologies. This allencompassing strategy can aid in spotting possible safety risks and speed up the process of spotting unusual activity related to the Volt Typhoon.

 

  • Threat Information: Keep abreast of the most recent Volt Typhoon techniques, procedures, and procedures (TTPs). Acquiring this expertise can enhance your capacity to formulate your security plan and identify and counter possible intrusions.

 

Indicators of Compromise

Microsoft Defender Antivirus detects attempted post-compromise activity:

  • Behavior:Win32/SuspNtdsUtilUsage.A
  • Behavior:Win32/SuspPowershellExec.E
  • Behavior:Win32/SuspRemoteCmdCommandParent.A
  • Behavior:Win32/UNCFilePathOperation
  • Behavior:Win32/VSSAmsiCaller.A
  • Behavior:Win32/WinrsCommand.A
  • Behavior:Win32/WmiSuspProcExec.J!se
  • Behavior:Win32/WmicRemote.A
  • Behavior:Win32/WmiprvseRemoteProc.B

 

Volt Typhoon Custom FRP Executable (SHA-256):
  • baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
  • b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
  • 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
  • c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
  • d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
  • 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
  • 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
  • 93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
  • 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
  • 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
  • c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
  • e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
  • 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
  • cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
  • 17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
  • 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
  • d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
  • 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
  • 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

 

Volt Typhoon Malicious Files and Associated Hashes

References

[1] PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

[2] Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

[3] Volt Typhoon targets US critical infrastructure with living-off-the-land techniques