Volt Typhoon
Summary of Actor:Volt Typhoon is a state-sponsored cyber espionage group believed to be affiliated with China. It is known for targeting critical infrastructure organizations in various countries, primarily focusing on obtaining intelligence. This group employs sophisticated techniques to remain undetected for long periods.
General Features:State-sponsored, focused on cyber espionage, highly sophisticated, employs stealthy and persistent attack methods.
Related Other Groups: APT41,APT10,RedEcho
Indicators of Attack (IoA):
- Unauthorized access to network devices
- Use of living-off-the-land techniques
- Unusual outbound network traffic
- Presence of command-and-control communications
Recent Activities and Trends:
- Latest Campaigns : Volt Typhoon has recently been linked to attacks targeting the energy and telecommunications sectors in the United States. These attacks are aimed at exfiltrating sensitive information related to critical infrastructure and national security.
- Emerging Trends : Recent observations indicate a shift towards using more advanced living-off-the-land techniques and exploits for zero-day vulnerabilities. There is also an increased focus on long-term persistence and undetected presence within target environments.
VOLTZITE
Vanguard Panda
Volt Typhoon
Bronze Silhouette
Australia
UK
India
USA
Target Sectors
Energy & Utilities
Construction
Manufacturing
Transportation&Warehousing
Educational Services
+3
Associated Malware/Software
sh.kv
KV
HiatusRAT
kv
win.scanline
+3
️Related CVEs
ATT&CK IDs:
T1105
T1593
T1583.005
T1210
T1592
+44
Tactic | Id | Technique | |||
---|---|---|---|---|---|
Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
Discovery | T1069 | Permission Groups Discovery |
Sub Techniques |
Detections |
Mitigations |
Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1210 | Exploitation of Remote Services |
Sub Techniques |
Detections |
Mitigations |
Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1593 | Search Open Websites/Domains |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1592 | Gather Victim Host Information |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
Reconnaissance | T1589 | Gather Victim Identity Information |
Sub Techniques |
Detections |
Mitigations |
Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
Total Count : 25
https://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoonhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a8b73194-0ca4-41b0-85ff-3793b83e47c0
https://resources.securityscorecard.com/research/volt-typhoon
https://www.dragos.com/threat/voltzite/
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement
https://www.securityweek.com/wp-content/uploads/2024/01/Volt-Typhoon.pdf
https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
https://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure/
https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign
https://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research
https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/
https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/
https://www.reuters.com/technology/cybersecurity/fbi-says-chinese-hackers-preparing-attack-us-infrastructure-2024-04-18/
https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/
https://www.cisa.gov/sites/default/files/2024-03/Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c.pdf
https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/
https://hub.dragos.com/hubfs/116-Datasheets/Dragos_IntelBrief_VOLTZITE_FINAL.pdf
https://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure
https://blog.barracuda.com/2024/03/14/volt-typhoon-future-war
https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical
https://www.cisa.gov/news-events/analysis-reports/ar24-038a