Threat Overview
On March 19, 2024, CISA, along with other participating agencies, released a joint Fact Sheet warning executive leaders in the critical infrastructure sector that Volt Typhoon has strategically pre-positioned itself to conduct cyber attacks against US infrastructure. In the event of escalating tension between the US and China, leaders are encouraged to take all the necessary precautions against this urgent risk to protect critical infrastructure networks.
Volt Typhoon is a People’s Republic of China (PRC) state-sponsored advanced persistent threat group reportedly active since 2021. This group specializes in cyber espionage operations, specifically targeting the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.
Tactics, Techniques, and Procedures (TTPs)
Volt Typhoon uses a wide range of sophisticated attack strategies designed to evade conventional detection methods. Initial access generally consists of advanced spear-phishing campaigns and use of public vulnerabilities (CVEs). Recent reporting has shown Volt Typhoon keeps close watch on public disclosures of CVEs and manages to immediately exploit these vulnerabilities before many users get a chance to patch them. After gaining initial access, this threat actor uses various “Living Off the Land” (LOTL) techniques to evade detection. LOTL comprises the use of tools and binaries native to an enterprise network, such as Windows PowerShell, Sysinternals PSEXEC, Windows Command Line, and more. As part of the joint Fact Sheet initiative CISA also released a joint guidance on identifying and mitigating LOTL techniques.
After gaining access, Volt Typhoon quickly harvests credentials for key assets within a system or network with primary objectives being maintaining persistence and data extraction. The group has been observed leveraging compromised Small Office/Home Office (SOHO) routers and virtual private servers (VPS) as part of the KV botnet to proxy command and control (C2) traffic. The group is not known to deploy ransomware or extort its victims, preferring persistence and continued data exfiltration for as long as possible.
Detection Opportunities
In light of the recent advisory, organizations need multiple layers of protection to defend against Volt Typhoon and similar threat actors. Following the Gartner SOC Visibility Triad, an enterprise cybersecurity solution should consist of a SIEM, Endpoint Detection and Response (EDR), and Network Detection and Response (NDR). In the case of Volt Typhoon, the combination of spear-phishing, public vulnerability exploitation, and LOTL techniques present a difficult situation for traditional cybersecurity solutions. LOTL techniques are effective because they can evade endpoint detection by blending in with legitimate enterprise network activity. As the sophistication of the threat actor increases, additional detection sources grow increasingly critical. In most cases, basic adversary infrastructure depends on C2 servers to communicate commands to the victim machine and complete actions on objectives. This is a primary detection scenario for network based cybersecurity tools.
IronNet Detection Spotlight
- Exploitation of public vulnerabilities (CVEs) - IronNet Threat Research constantly monitors for newly disclosed vulnerabilities and subsequent Proof-of-Concept (PoC) exploitation code release. Upon identification of a vulnerability that takes advantage of network-based communications or protocols, IronNet Overwatch generates custom SIGMA detections and deploys these throughout all customer environments.
- Living Off the Land (LOTL) techniques - Through a combination of behavioral analytics, Suricata, and custom SIGMA detection rules, IronNet Collective Defense can detect activity ranging from downloads of known LOTL tools, suspicious internal network communications, and suspicious outbound activity from resources like Windows PowerShell.
- Command and Control (C2) communication - IronRadar is IronNet’s proactive threat intelligence feed that identifies C2 infrastructure, sometimes before it's utilized by an actor. This capability is the baseline for IronNet Collective Defense’s C2 detection footprint.
Threat Intelligence Rules (TIRs) are maintained by IronNet Threat Research as alerts within our NDR solution for static IPs and Domains associated with suspicious or malicious activity, to include C2 indicators. - Threat Actor Activity - IronNet Collective Defense uses anonymized threat intelligence and information sharing to enable customers to correlate alerts and activity instantly across the platform (Dome). This allows Collective Defense community users to remain agile and respond quickly to threats identified by another community member.
Conclusion
Even after various infrastructure takedown efforts, most notably by the FBI in early December 2023, threats from Volt Typhoon still exist today. With a combination of proactive C2 detections (IronRadar), behavioral analytics, custom detection rules, and anonymized intelligence sharing, IronNet Collective Defense provides a robust network-based detection and monitoring solution that can aid organizations in their defense against Volt Typhoon, novel threats, and other sophisticated threat actors.