Defending Against Volt Typhoon: A State-Sponsored Stealthy Threat to Critical Infrastructure
Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) is a state-sponsored cyber actor group believed to be affiliated with the People’s Republic of China (PRC). This group has been actively targeting critical infrastructure sectors in the United States since at least mid-2021. The primary objective of this group is to perform espionage and gain persistent access to target networks for potential disruptive or destructive attacks in the future.
Volt Typhoon – Tactics, Techniques, and Procedures (TTPs)
Volt Typhoon employs a variety of techniques to achieve their goals. Here’s a breakdown of their tactics mapped to the MITRE ATTick framework:
- Initial Access:
- Exploit vulnerabilities in internet-facing devices (e.g., routers, firewalls, VPNs) (ATT&CK Techniques: https://attack.mitre.org/techniques/T1190/) (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893)
- Abuse legitimate remote access tools (e.g., VPN) (ATT&CK Techniques: https://attack.mitre.org/techniques/T1133/)
- Execution:
- Living-off-the-Land (LotL) techniques: utilizing built-in system administration tools (e.g., wmic, ntdsutil, netsh, PowerShell) to evade detection (ATT&CK Techniques: https://attack.mitre.org/techniques/T1059/)
- Persistence:
- Maintaining access through compromised credentials and establishing persistence mechanisms (ATT&CK Techniques: https://attack.mitre.org/techniques/T1059/)
- Privilege Escalation:
- Exploiting vulnerabilities in operating systems or network services to elevate privileges (ATT&CK Techniques: https://attack.mitre.org/techniques/T1068/)
- Defense Evasion:
- Abstaining from suspicious activity during non-working hours to avoid detection
- Using legitimate tools for malicious purposes (LotL) (ATT&CK Techniques: https://attack.mitre.org/techniques/T1027/)
- Credential Access:
- Stealing administrator credentials within the network (ATT&CK Techniques: https://attack.mitre.org/techniques/T1003/)
- Discovery:
- Extensive reconnaissance to map the target network architecture, user behavior, and identify key personnel (ATT&CK Techniques: https://attack.mitre.org/techniques/T1087/)
- Lateral Movement:
- Moving laterally within the compromised network to access critical systems (ATT&CK Techniques: https://attack.mitre.org/techniques/T1057/)
- Collection:
- Potential for gathering sensitive data and intelligence for future operations
CISA Alert AA24-038A provides a detailed analysis of Volt Typhoon’s TTPs, including their reconnaissance tactics and initial access methods and highlights Volt Typhoon’s use of LotL techniques and targeting of critical infrastructure.. (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a) It’s important to note that this is not an exhaustive list, and Volt Typhoon may adapt their tactics based on the target and situation.
FBI & US Government Express Concerns about Volt Typhoon
The FBI and US government have expressed strong concern about Volt Typhoon, highlighting the group’s potential to disrupt critical infrastructure and endanger American safety. Here’s a breakdown of their key points and actions:
- Targeting Critical Infrastructure: Both the FBI and government agencies like CISA have emphasized Volt Typhoon’s focus on compromising critical infrastructure sectors in the US. This includes vital services like energy, communications, and transportation. ([invalid URL removed])
- Espionage and Disruption: Officials believe Volt Typhoon’s primary objective is not immediate destruction, but gaining long-term access to networks for potential espionage and disruption in the future. This allows them to gather sensitive data and potentially launch attacks in times of geopolitical tension. ([invalid URL removed])
- Pre-Positioning for Harm: The FBI Director, Christopher Wray, has specifically warned about Volt Typhoon’s “pre-positioning” to cause real-world harm. This suggests their long-term access could be used to manipulate infrastructure and cause disruptions during future conflicts. (https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical)
Industries Targeted By Volt Typhoon:
Volt Typhoon has primarily focused on compromising critical infrastructure organizations in the United States. Their targets have spanned across various sectors, including:
- Communications
- Manufacturing
- Utilities
- Transportation
- Construction
- Maritime
- Government
- Information Technology
- Education
This broad targeting suggests a potential effort to gain a foothold in various sectors for widespread disruption or data collection in the future.
US Government Actions
- Disrupting the Botnet: In a joint effort, the FBI and the Department of Justice collaborated to take down a botnet used by Volt Typhoon to hide their hacking activities. This neutralized a key element of their infrastructure and hindered their ability to operate. (https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical)
- Issuing Public Advisories: CISA has published multiple advisories detailing Volt Typhoon’s tactics, techniques, and procedures. This information equips critical infrastructure providers and organizations with the knowledge to detect and defend against potential attacks. (https://www.cisa.gov/news-events/cybersecurity-advisories)
- Collaboration with Private Sector: The US government has acknowledged the importance of collaboration with private sector entities in combating cyber threats. Their joint efforts with these companies were crucial in disrupting the Volt Typhoon botnet. (https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical)
The US government’s response reflects a proactive approach to defending critical infrastructure and deterring potential cyberattacks from state-sponsored actors. However, the ongoing investigation and the possibility of the Volt Typhoon adapting their tactics highlight the constant vigilance required to stay ahead of cyber threats.
How to Stay Vigilant and Protected from State-Sponsored Threats?
The only way to protect your organization from such sophisticated state-sponsored cyber threats is by adopting unconventional threat detection techniques. Traditional security tools fail to detect such advanced cyber threats. But we have a solution for you!
NetSecurity’s ThreatResponder® Platform is a unified cloud-native cyber-resilient endpoint security platform with an AI-based threat detection engine that can provide effective endpoint threat detection, prevention, response, analytics, intelligence, investigation, and hunting solutions that can help businesses stay ahead of the latest cyber threats.
With ThreatResponder®, organizations gain situational awareness and immediate threat visibility into thousands of endpoints, allowing them to respond to and neutralize cyber attacks across their enterprise. The platform provides 361° threat visibility of enterprise assets, regardless of their location, and is capable of detecting and preventing a wide range of attacks, including exploit, fileless, malware, and ransomware attacks.
The platform is also designed to provide powerful tools for incident response and forensics investigation on remote endpoints, as well as insider threat and data loss prevention capabilities. Furthermore, ThreatResponder® can ingest data from millions of endpoints, providing organizations with valuable insights into users’ activities and network bandwidth utilization. The platform offers a comprehensive threat intelligence module, allowing organizations to consume threat intel from various sources, produce their own threat intelligence, and perform malware analysis using MaLyzer™.
NetSecurity’s ThreatResponder® Platform can help organizations stay ahead of the latest cyber threats. With its comprehensive features, ThreatResponder® provides organizations with the tools they need to detect, prevent, respond to, and investigate cyber attacks, all in one place.
Don’t wait for disaster to strike. Modernize your threat detection capabilities with our ThreatResponder platform today. Contact NetSecurity to learn more and request a free demo.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).