On March 19, 2024, CISA, along with other participating agencies, released a joint Fact Sheet warning executive leaders in the critical infrastructure sector that Volt Typhoon has strategically pre-positioned itself to conduct cyber attacks against US infrastructure. In the event of escalating tension between the US and China, leaders are encouraged to take all the necessary precautions against this urgent risk to protect critical infrastructure networks.
Volt Typhoon is a People’s Republic of China (PRC) state-sponsored advanced persistent threat group reportedly active since 2021. This group specializes in cyber espionage operations, specifically targeting the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.
Volt Typhoon uses a wide range of sophisticated attack strategies designed to evade conventional detection methods. Initial access generally consists of advanced spear-phishing campaigns and use of public vulnerabilities (CVEs). Recent reporting has shown Volt Typhoon keeps close watch on public disclosures of CVEs and manages to immediately exploit these vulnerabilities before many users get a chance to patch them. After gaining initial access, this threat actor uses various “Living Off the Land” (LOTL) techniques to evade detection. LOTL comprises the use of tools and binaries native to an enterprise network, such as Windows PowerShell, Sysinternals PSEXEC, Windows Command Line, and more. As part of the joint Fact Sheet initiative CISA also released a joint guidance on identifying and mitigating LOTL techniques.
After gaining access, Volt Typhoon quickly harvests credentials for key assets within a system or network with primary objectives being maintaining persistence and data extraction. The group has been observed leveraging compromised Small Office/Home Office (SOHO) routers and virtual private servers (VPS) as part of the KV botnet to proxy command and control (C2) traffic. The group is not known to deploy ransomware or extort its victims, preferring persistence and continued data exfiltration for as long as possible.
In light of the recent advisory, organizations need multiple layers of protection to defend against Volt Typhoon and similar threat actors. Following the Gartner SOC Visibility Triad, an enterprise cybersecurity solution should consist of a SIEM, Endpoint Detection and Response (EDR), and Network Detection and Response (NDR). In the case of Volt Typhoon, the combination of spear-phishing, public vulnerability exploitation, and LOTL techniques present a difficult situation for traditional cybersecurity solutions. LOTL techniques are effective because they can evade endpoint detection by blending in with legitimate enterprise network activity. As the sophistication of the threat actor increases, additional detection sources grow increasingly critical. In most cases, basic adversary infrastructure depends on C2 servers to communicate commands to the victim machine and complete actions on objectives. This is a primary detection scenario for network based cybersecurity tools.
Even after various infrastructure takedown efforts, most notably by the FBI in early December 2023, threats from Volt Typhoon still exist today. With a combination of proactive C2 detections (IronRadar), behavioral analytics, custom detection rules, and anonymized intelligence sharing, IronNet Collective Defense provides a robust network-based detection and monitoring solution that can aid organizations in their defense against Volt Typhoon, novel threats, and other sophisticated threat actors.