Campaigns
Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques

Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques

Bronze SilhouetteLiving Of The LandLOL BinsFortinet Forti GuardSOHOLotLVolt Typhoon
BRONZE SILHOUETTE has been active since at least 2021 and primarily targets the US government and defense organizations for intelligence gathering purposes. The group leverages vulnerable internet-facing servers to gain initial access and often uses a web shell for persistence.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Volt TyphoonChina
VanguardPandaBRONZESILHOUETTEInsidiousTaurusVanguard PandaVolt TyphoonVOLTZITEUNC3236Bronze SilhouetteVANGUARDPANDADev-0391Storm-0391BRONZE SILHOUETTEVoltTyphoonInsidious TaurusVANGUARD PANDABronzeSilhouette

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations
Defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs.

Otherwise, the default logging configurations may not contain the necessary Information. Enabling these options will create Event ID 4688 entries in the Windows Security log to view command line processes. Given the cost and difficulty of logging and analyzing this kind of activity, if an organization must limit the requirements, they should focus on enabling this kind of logging on systems that are externally facing or perform authentication or authorization, especially including domain controllers.

To hunt for the malicious WMI and PowerShell activity, defenders should also log WMI and PowerShell events. By default, WMI Tracing and deep PowerShell logging are not Enabled,

Reports & References1

Observed Countries12

AF (484)
CN (467)
ID (953)
IN (940)
KG (141)
LK (971)
MV (812)
NP (122)
TJ (410)
TM (892)
US (874)
UZ (551)