On Feb 7, 2024, CISA, NSA, FBI, and other US government and international partners, released a critical security advisory, in which the US authoring agencies have warned organisations about Volt Typhoon pre-positioning themselves on US critical infrastructure organisations’ networks to enable disruption or destruction of critical services in the event of a major crisis or conflict with United States and its allies.
Volt Typhoon compromised the IT environments of many US critical infrastructure organisations, spreading across different sectors, including Communications, Energy, Transportation and Water.
The fact that the People’s Republic of China (PRC) state-sponsored cyber group, Volt Typhoon was lying dormant in the network of the targeted organisations, waiting for 'the' opportunity to carry out the attack is a critical business risk for any organisation.
What is Volt Typhoon?
Volt Typhoon, also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus, is a People’s Republic of China (PRC) state-sponsored cyber group that specialises in espionage and information gathering. This APT was first made known in May 2023 and is believed to be active since mid-2021. It has targeted organisations in Guam, telecom providers, military bases and many other US critical infrastructure organisations.
Tactics, Techniques, and Procedures (TTPs) of Volt Typhoon
Volt Typhoon works by exploiting vulnerabilities in small and end-of-life routers, firewalls and VPNs, often using administrator credentials and stolen passwords, or taking advantage of outdated systems and technology that haven’t been updated with recent software updates and patches. One of this threat actor’s key TTPs is “living-off-the-land”, using integrated network administration tools to achieve its goals. The group relies on legitimate binaries natively present on compromised machines, using for example tools integrated into operating systems (e.g. wmic, ntdsutil, netsh and PowerShell). This approach enables the actor to blend in with traffic qualified as legitimate and bypass the defence mechanisms in place.
While Volt Typhoon actors tailor their TTPs to the victim environment, the US authoring agencies have observed the actors typically following the same pattern of behaviour across identified intrusions:
- Conduct extensive pre-compromise reconnaissance to learn about the target organisation’s network architecture and operational protocols.
- Gain initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (e.g., routers, virtual private networks (VPNs), and firewalls) and connect to the victim’s network via VPN for follow-up activities.
- Obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities in the operating system or network services.
- Use valid administrator credentials to move laterally to the domain controller (DC) and other devices via remote access services such as Remote Desktop Protocol (RDP).
- Conduct discovery in the victim’s network, leveraging LOTL binaries for stealth.
- Achieve full domain compromise by extracting the Active Directory database from the DC.
- Uses offline password-cracking techniques to decipher these hashes.
- Uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets.
What's the Impact of Volt Typhoon Attacks?
The Volt Typhoon attacks have caused significant disruption, targeting critical infrastructure and government entities worldwide. With sophisticated tactics, these cyberattacks have led to widespread data breaches, financial losses, and operational downtime. Businesses and governments are grappling with the aftermath, facing increased cybersecurity measures and financial burdens to mitigate future risks. The impact extends beyond immediate losses, affecting public trust, national security, and global stability. As organisations strive to recover and bolster their defences, the Volt Typhoon attacks serve as a stark reminder of the evolving cyber threat landscape and the urgent need for robust cybersecurity strategies.
How to protect your business against Volt Typhoon?
To safeguard your business against Volt Typhoon attacks, consider implementing the following measures:
- Strengthen Cybersecurity Infrastructure: Upgrade your cybersecurity systems, including firewalls, intrusion detection systems, and antivirus software, to detect and prevent Volt Typhoon attacks.
- Employee Training: Educate your staff about cybersecurity best practices, such as identifying phishing emails, avoiding suspicious links, and using strong passwords, to reduce the risk of falling victim to Volt Typhoon attacks.
- Regular Software Updates: Keep all software and applications up to date with the latest security patches to address vulnerabilities exploited by Volt Typhoon attackers.
- Network Segmentation: Implement network segmentation to isolate critical systems and data from potential Volt Typhoon attacks, limiting the impact of any breaches.
- Incident Response Plan: Develop a comprehensive incident response plan outlining steps to take in the event of a Volt Typhoon attack, including procedures for containment, investigation, and recovery.
By taking proactive measures to enhance your cybersecurity posture, you can better protect your business against Volt Typhoon attacks and minimise the potential impact of these sophisticated cyber threats.
Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside our Endpoint Detection and Response.
Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.
Red Piranha is a world leader when it comes to CTI. We are a member of the highly regarded Cyber Threat Alliance, and this appointment is a testament to our increased technical capabilities in this area and our commitment to quality with CTI. As one of its top contributors, we offer contextualised CTI feeds to its members and the wider security industry.
Sign up for our Weekly Threat Intelligence Report to stay updated.