SOC Incident Toolkit
Back to Campaigns
Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques

Volt Typhoon (aka, The Bronze Silhouette) Targets Critical US Infrastructure with Living Of The Land Techniques

Bronze SilhouetteLiving Of The LandLOL BinsFortinet Forti GuardSOHOLotLVolt Typhoon

BRONZE SILHOUETTE has been active since at least 2021 and primarily targets the US government and defense organizations for intelligence gathering purposes. The group leverages vulnerable internet-facing servers to gain initial access and often uses a web shell for persistence.

Indicators of Compromise

Hashes (74)

433331fe1a3ff11ea362fc772b67da38472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a0663e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e953a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ffd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295d10298d14d249941725ca0d4fe3fdd03cc472d423c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71daf5b2ffebc86b85e54201100be10fa19f19bf04baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f94885978fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2b420bbe5054b2b8d0ab7de7a2f266cc382dac45d0d6cf06cfcf056073cb14c0398c9fa7cab7499b6656a3329d4662c74f0b5466e308cd259bb9b0ed17c876881852e79927939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca187d0dc65dd52fb813c9ebb6613be6b6+54 more

CVEs (3)

CVE-2021-40539CVE-2021-27860CVE-2023-27350

APT Groups

Volt Typhoon

China

Notes

<div><b>Conclusion:</b></div><div><b><br></b></div><div>Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by <b>Volt Typhoon</b>, a state-sponsored actor based in China that typically focuses on espionage and information gathering.&nbsp;</div><div><br></div><div>Microsoft assesses with moderate confidence that this <b>Volt Typhoon</b> campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.</div><div><br></div><div>It is particularly difficult to reduce the risk from enemies like the Volt Typhoon, which rely on valid accounts and terrain binaries (LOLBins). Detection of activities using normal login channels and system binaries requires behavioral monitoring. The fix requires closing or changing credentials for compromised accounts. Accounts suspected of being compromised or affecting systems should be investigated</div><div><br></div>

Mitigation

<div><b>Mitigations</b></div><div>The authoritative agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and</div><div>NIST recommends all organizations implement. CISA and NIST based the CPGs on existing cybersecurity Frameworks and guidance to protect against the most common and impactful threats and TTPs.</div><div><br></div><span style="color: var(--q-dark);">Defenders should harden domain controllers and monitor event logs for and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.</span><br><span style="color: var(--q-dark);">Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.</span><br><span style="color: var(--q-dark);">Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.</span><br><span style="color: var(--q-dark);">Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user&nbsp;logging on from two geographically separated locations at the same time).</span><br>