Volt Typhoon

Last updated
Volt Typhoon
Formation2021 or earlier
Type Advanced persistent threat
Purpose Cyberwarfare
Location
Affiliations Chinese government

Volt Typhoon (also known as VANGUARD PANDA,BRONZE SILHOUETTE, Redfly, Insidious Taurus, Dev-0391, Storm-0391, UNC3236, or VOLTZITE) is an advanced persistent threat engaged in cyberespionage reportedly on behalf of the People's Republic of China. Active since at least mid-2021, the group is known to primarily target United States critical infrastructure. [1] Volt Typhoon focuses on espionage, data theft, and credential access. [2]

Contents

According to Microsoft, the group goes to great lengths to avoid detection, and its campaigns prioritize capabilities which enable China to sabotage critical communications infrastructure between the US and Asia during potential future crises. [2] The US government believes the group's goal is to slow down any potential US military mobilization that may come following a Chinese invasion of Taiwan. [3] The Chinese government denies the group exists. [4] [5]

Names

Volt Typhoon is the name currently assigned to the group by Microsoft, and is the most widely used name for the group. The group has also been variously referred to as: [6]

Methodology

According to a joint publication by all of the cybersecurity and signals intelligence agencies of the Five Eyes, Volt Typhoon's core tactics, techniques, and procedures (TTPs) include living off the land, using built-in network administration tools to perform their objectives and blending in with normal Windows system and network activities. This tactic avoids endpoint detection and response (EDR) programs which would alert on the introduction of third-party applications to the host, and limits the amount of activity captured in default logging configurations. Some of the built-in tools used by Volt Typhoon are: wmic, ntdsutil, netsh, and Powershell. [8]

The group initially uses malicious software that penetrates internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that have not been updated regularly. [9] Once they gain access to a target, they put a strong emphasis on stealth, almost exclusively relying on living-off-the-land techniques and hands-on-keyboard activity. [9]

Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they issue commands via the command line to first collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence. [2] [10] Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls, and VPN hardware. [11] They have also been observed using custom versions of open source tools to establish a command and control (C2) channel over proxy to further hidden. [2] [9]

In many ways, Volt Typhoon functions similarly to traditional botnet operators, taking control of vulnerable devices such as routers and security cameras to hide and establish a beachhead in advance of using that system to launch future attacks. Operating this way makes it difficult for cybersecurity defenders to accurately identify the source of an attack. [9]

According to Secureworks (a division of Dell), Volt Typhoon's interest in operational security "likely stemmed from embarrassment over the drumbeat of US indictments [of Chinese state-backed hackers] and increased pressure from Chinese leadership to avoid public scrutiny of its cyberespionage activity." [12]

According to cybersecurity researcher Ryan Sherstobitoff, "Unlike attackers who vanish when discovered, this adversary digs in even deeper when exposed". [13]

Notable campaigns

Attacks on US Navy

The US government has repeatedly detected activity on systems in the US and Guam designed to gather information on U.S. critical infrastructure and military capabilities, but Microsoft and the agencies said the attacks could be preparation for a future attack on U.S. critical infrastructure. [2]

Singtel breach

In June 2024, Singtel was breached by Volt Typhoon. [14] Following a report by Bloomberg News in November 2024, Singtel responded that it had "eradicated" malware from the threat. [15]

Disruption

In January 2024, the FBI announced that it had disrupted Volt Typhoon's operations by undertaking court-authorized operations to remove malware from US-based victim routers, and taking steps to prevent reinfection. [16]

Response from China

The Chinese government denied any involvement in Volt Typhoon and stated that Volt Typhoon is a misinformation campaign by U.S. intelligence agencies, according to state media outlet Xinhua News Agency and China's National Computer Virus Emergency Response Center (CVERC). [4] [5]

Related Research Articles

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced.

Trustwave is an American cybersecurity subsidiary of The Chertoff Group. It focuses on providing managed detection and response (MDR), managed security services (MSS), database security, and email security to organizations around the globe.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

<span class="mw-page-title-main">Anomali</span> American cybersecurity company

Anomali Inc. is an American cybersecurity company that develops and provides threat intelligence products. In 2023, the company moved into providing security analytics powered by artificial intelligence (AI).

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

APT40, also known as BRONZE MOHAWK, FEVERDREAM, G0065, GADOLINIUM, Gingham Typhoon, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Periscope, and Temp.Jumper, is an advanced persistent threat operated by the Hainan State Security Department, a branch of the Chinese Ministry of State Security located in Haikou, Hainan, China, and has been active since at least 2009.

A cyberattack is any unauthorized effort against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

Salt Typhoon is an advanced persistent threat actor that is reported to be operated by the Chinese government to conduct cyberespionage campaigns against targets in North America and Southeast Asia. Active since 2020, the group engages in widespread data theft, particularly capturing network traffic. Former NSA analyst Terry Dunlap has called the group "another component of China's 100-Year Strategy." According to former CISA director Chris Krebs and other U.S. officials, the group is affiliated with China's Ministry of State Security.

SugarGh0st RAT is a Windows malware program, utilized in cyberattacks since August 2023, first documented by Cisco Talos. It was used to attack government agencies and the private sector, in EMEA and Asia . In May 2024 it was reported an email phishing campaign from threat actor SweetSpecter, using this malware, targeting US AI experts from government services, academia, US companies, with the intention of obtaining non-public information.

References

  1. "Chinese hackers are deep inside America's telecoms networks" . The Economist . December 12, 2024. ISSN   0013-0613 . Retrieved 2024-12-13.
  2. 1 2 3 4 5 "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques". Microsoft . 2023-05-24. Archived from the original on 2024-01-17. Retrieved 2024-10-09.
  3. Antoniuk, Daryna (2024-08-27). "China's Volt Typhoon reportedly targets US internet providers using Versa zero-day". Recorded Future . Archived from the original on 2024-09-17. Retrieved 2024-10-09.
  4. 1 2 "Report reveals more conspiracies behind U.S. "Volt Typhoon" misinformation campaign". Xinhua News Agency . 2024-10-15. Retrieved 2024-10-14.
  5. 1 2 Martin, Alexander (July 11, 2024). "Chinese cyber agency accused of 'false and baseless' claims about US interfering in Volt Typhoon research". therecord.media. Recorded Future. Archived from the original on 2024-10-09. Retrieved 2024-10-29.
  6. "Volt Typhoon (Threat Actor)". Fraunhofer Society . Retrieved 2024-10-09.
  7. Hanrahan, Josh (2024-02-13). "VOLTZITE Espionage Operations Targeting U.S. Critical Systems". Dragos. Archived from the original on 2024-09-26. Retrieved 2024-10-14.
  8. "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection". Cybersecurity and Infrastructure Security Agency . 2023-05-24. Retrieved 2024-10-09.
  9. 1 2 3 4 Forno, Richard (2024-04-01). "What Is Volt Typhoon? A Cybersecurity Expert Explains The Chinese Hackers Targeting US Critical Infrastructure". University of Maryland, Baltimore County . Archived from the original on 2024-07-14. Retrieved 2024-10-09.
  10. "Volt Typhoon: Chinese State-Sponsored Actor Targeting Critical Infrastructure". Secure Blink. 2023-06-05. Archived from the original on 2024-03-01. Retrieved 2024-10-09.
  11. Paing Htun, Phyo; Kimura, Ai; Srinivasan, Manikantan; Natarajan, Pooja (2024-03-28). "Volt Typhoon, BRONZE SILHOUETTE, Group G1017". Mitre Corporation . Archived from the original on 2024-09-17. Retrieved 2024-10-09.
  12. Pearson, James; Satter, Raphael (2024-04-19). Berkrot, Bill (ed.). "What is Volt Typhoon, the Chinese hacking group the FBI warns could deal a 'devastating blow'?". Reuters .
  13. Sabin, Sam (November 12, 2024). "Rising threat of China's Volt Typhoon". Axios . Retrieved November 12, 2024.
  14. Robertson, Jordan; Manson, Katrina (2024-11-05). "Chinese Group Accused of Hacking Singtel in Telecom Attacks". Bloomberg News . Retrieved 2024-11-05.
  15. "Singtel detected and 'eradicated' malware said to be from Chinese hacking group". CNA . 5 November 2024. Archived from the original on 2024-11-06. Retrieved 2024-11-05.
  16. "U.S. Government Disrupts Botnet People's Republic of China Used to Conceal Hacking of Critical Infrastructure". United States Department of Justice . 2024-01-31. Archived from the original on 2024-10-07. Retrieved 2024-10-09.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.