Volt Typhoon
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Vanguard Panda | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| DEV-0391 | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| UNC3236 | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Voltzite | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Insidious Taurus | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| BRONZE SILHOUETTE | (Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Volt Typhoon has executed `net user` and `quser` to enumerate local account information.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .002 | Account Discovery: Domain Account |
Volt Typhoon has run `net group /dom` and `net group "Domain Admins" /dom` in compromised environments for account discovery.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
||
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Volt Typhoon has used PowerShell including for remote system discovery.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| .004 | Command and Scripting Interpreter: Unix Shell |
Volt Typhoon has used Brightmetricagent.exe which contains a command- line interface (CLI) library that can leverage command shells including Z Shell (zsh).(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| Enterprise | T1584 | .003 | Compromise Infrastructure: Virtual Private Server |
Volt Typhoon has compromised Virtual Private Servers (VPS) to proxy C2 traffic.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .004 | Compromise Infrastructure: Server |
Volt Typhoon has used compromised Paessler Router Traffic Grapher (PRTG) servers from other organizations for C2.(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| .005 | Compromise Infrastructure: Botnet |
Volt Typhoon Volt Typhoon has used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| .008 | Compromise Infrastructure: Network Devices |
Volt Typhoon has compromised small office and home office (SOHO) network edge devices, many of which were located in the same geographic area as the victim, to proxy network traffic.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) |
||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Volt Typhoon has targeted network administrator browser data including browsing history and stored credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Volt Typhoon has saved stolen files including the `ntds.dit` database and the `SYSTEM` and `SECURITY` Registry hives locally to the `C:\Windows\Temp\` directory.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
| Enterprise | T1587 | .004 | Develop Capabilities: Exploits |
Volt Typhoon has exploited zero-day vulnerabilities for initial access.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
| Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
Volt Typhoon has targeted the personal emails of key network and IT staff at victim organizations.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1590 | .004 | Gather Victim Network Information: Network Topology |
Volt Typhoon has conducted extensive reconnaissance of victim networks including identifying network topologies.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .006 | Gather Victim Network Information: Network Security Appliances |
Volt Typhoon has identified target network security measures as part of pre-compromise reconnaissance.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| Enterprise | T1591 | .004 | Gather Victim Org Information: Identify Roles |
Volt Typhoon has identified key network and IT staff members pre-compromise at targeted organizations.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .004 | Indicator Removal: File Deletion |
Volt Typhoon has run `rd /S` to delete their working directories and deleted systeminfo.dat from `C:\Users\Public\Documentsfiles`.(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| .007 | Indicator Removal: Clear Network Connection History and Configurations |
Volt Typhoon has inspected server logs to remove their IPs.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Volt Typhoon has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .008 | Masquerading: Masquerade File Type |
Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.(Citation: Microsoft Volt Typhoon May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .003 | OS Credential Dumping: NTDS |
Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Volt Typhoon has used legitimate network and forensic tools and customized versions of open-source tools for C2.(Citation: Microsoft Volt Typhoon May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .006 | Obtain Capabilities: Vulnerabilities |
Volt Typhoon has used publicly available exploit code for initial access.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Volt Typhoon has run `net localgroup administrators` in compromised environments to enumerate accounts.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) |
| .002 | Permission Groups Discovery: Domain Groups |
Volt Typhoon has run `net group` in compromised environments to discover domain groups.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
||
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Volt Typhoon has used the built-in netsh `port proxy` command to create proxies on compromised systems to facilitate access.(Citation: Microsoft Volt Typhoon May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| .003 | Proxy: Multi-hop Proxy |
Volt Typhoon has used multi-hop proxies for command-and-control infrastructure.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Volt Typhoon has moved laterally to the Domain Controller via RDP using a compromised account with domain administrator privileges.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1596 | .005 | Search Open Technical Databases: Scan Databases |
Volt Typhoon has used FOFA, Shodan, and Censys to search for exposed victim infrastructure.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
| Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
Volt Typhoon has employed Ping to check network connectivity.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Volt Typhoon has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.(Citation: Microsoft Volt Typhoon May 2023) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0039 | Net | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: Secureworks BRONZE SILHOUETTE May 2023) | Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account |
| S0160 | certutil | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Secureworks BRONZE SILHOUETTE May 2023) (Citation: TechNet Certutil) | Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer |
| S1154 | VersaMem | (Citation: Lumen Versa 2024) | Credential API Hooking, Exploitation for Client Execution, Encrypted/Encoded File, File Deletion, Command and Scripting Interpreter, Local Data Staging, Network Sniffing, Shared Modules |
| S0357 | Impacket | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Impacket Tools) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: Microsoft Volt Typhoon May 2023) | LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets |
| S0100 | ipconfig | (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: TechNet Ipconfig) | System Network Configuration Discovery |
| S0057 | Tasklist | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: Microsoft Tasklist) (Citation: Secureworks BRONZE SILHOUETTE May 2023) | Process Discovery, System Service Discovery, Security Software Discovery |
| S1144 | FRP | (Citation: DFIR Phosphorus November 2021) (Citation: FRP GitHub) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: Microsoft Volt Typhoon May 2023) (Citation: RedCanary Mockingbird May 2020) | Non-Application Layer Protocol, JavaScript, Proxy, Protocol Tunneling, Asymmetric Cryptography, Network Service Discovery, System Network Connections Discovery, Multi-hop Proxy, Symmetric Cryptography, Web Protocols |
| S0104 | netstat | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Secureworks BRONZE SILHOUETTE May 2023) (Citation: TechNet Netstat) | System Network Connections Discovery |
| S0108 | netsh | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: Microsoft Volt Typhoon May 2023) (Citation: TechNet Netsh) | Disable or Modify System Firewall, Netsh Helper DLL, Proxy, Security Software Discovery |
| S0096 | Systeminfo | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: Secureworks BRONZE SILHOUETTE May 2023) (Citation: TechNet Systeminfo) | System Information Discovery |
| S0359 | Nltest | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Nltest Manual) (Citation: Secureworks BRONZE SILHOUETTE May 2023) | Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery |
| S0002 | Mimikatz | (Citation: Adsecurity Mimikatz Guide) (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Deply Mimikatz) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) | DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets |
| S0097 | Ping | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Microsoft Volt Typhoon May 2023) (Citation: TechNet Ping) | Remote System Discovery |
| S0106 | cmd | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: TechNet Cmd) (Citation: TechNet Copy) (Citation: TechNet Del) (Citation: TechNet Dir) | File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, File Deletion, Windows Command Shell, Lateral Tool Transfer |
| S0075 | Reg | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Microsoft Reg) (Citation: Windows Commands JPCERT) | Credentials in Registry, Query Registry, Modify Registry |
| S0645 | Wevtutil | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: Wevtutil Microsoft Documentation) | Clear Windows Event Logs, Disable Windows Event Logging, Data from Local System |
| S0029 | PsExec | (Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account |
References
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
- NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
- Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
- Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.