05/08/2024 | News release | Distributed by Public on 05/08/2024 11:16
Earlier in February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) put out an alert on Volt Typhoon. Volt Typhoon, also known as Bronze Silhouette, is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon has in the past focused on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands-on keyboard activities, and stolen credentials.
In March 2024, the "Five Eyes" agencies released an advisory that builds upon the February advisory and provides explicit guidance to critical infrastructure owners and operators. According to the alert, the People's Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
The New Normal is that well-funded, highly skilled nation-state actors want to invade enterprise networks and resources and pre-position malicious software. This software is designed to deliver a destructive blow to operational capabilities that rely on your information technology assets upon command at some point in the future. These threat actors may be in your networks even now. |
Critical infrastructure is not a short list. It is a huge list. It includes, at my count, about 16 industry sectors, most of which have many sub-sectors. CISA covers these in detail. Here are the full CISA definitions. This is my summary:
U.S. agencies confirm that Volt Typhoon has infiltrated critical infrastructure organizations, primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. As noted earlier, unlike typical cyber espionage, Volt Typhoon's activity suggests they are pre-positioning on IT networks to disrupt functions at a future date by targeting OT assets.
U.S. agencies need to be very wary of these threat actors potentially exploiting their network access during geopolitical tensions or military conflicts. Volt Typhoon employs living off the land (LOTL) techniques, targeting critical infrastructure. Their reliance on valid accounts and robust operational security enables long-term, undetected persistence.
Volt Typhoon has been active for longer than you might suspect. U.S. government agencies have recently observed indications of Volt Typhoon threat actors maintaining access and footholds within some victim IT environments for at least five (5) years. |
Volt Typhoon actors meticulously conduct pre-exploitation reconnaissance to understand the target organization and its environment. They then customize their tactics, techniques, and procedures (TTPs) to suit the victim's context. These actors allocate ongoing resources to ensure long-term persistence and a deep understanding of the target environment, even beyond the initial compromise.
Volt Typhoon actors adapt their tactics, techniques, and procedures (TTPs) to match the victim's environment. They consistently display a repetitive behavior pattern across the intrusions they've participated in.
Volt Typhoon's target choice and behavior pattern are inconsistent with traditional cyber espionage or intelligence-gathering operations. U.S. agencies have assessed with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the future disruption and/or destruction of OT functions across multiple critical infrastructure sectors. |
Volt Typhoon meticulously conducts pre-compromise reconnaissance to understand the target organization's network architecture and operational protocols. Their reconnaissance efforts include identifying network topologies, security measures, typical user behaviors, and key network and IT personnel by name.
To enhance operational security, Volt Typhoon avoids using compromised credentials during non-working hours to prevent triggering security alerts. They extensively research victim-owned sites, gathering information about the organization's staff, network, and IT administrators. Additionally, they focus on the personal email accounts of critical network and IT personnel. The group gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (such as routers, virtual private networks, and firewalls).
Subsequently, they establish a connection to the victim's network via VPN for follow-on activities. Their ultimate objective is to acquire administrator credentials within the network, often exploiting privilege escalation vulnerabilities in the operating system or network services. With valid administrator credentials, Volt Typhoon laterally moves to the domain controller (DC) and other devices using remote access services like Remote Desktop Protocol (RDP).
Volt Typhoon quietly explores the victim's network, utilizing Living-Off-The-Land (LOTL) binaries for stealth. A critical tactic involves leveraging PowerShell to query Windows event logs selectively, focusing on specific users and time periods. By extracting security event logs into .dat files, Volt Typhoon gathers crucial information while evading detection. This strategic blend of pre-compromise reconnaissance and meticulous post-exploitation intelligence collection underscores their highly sophisticated cyber approach.
Volt Typhoon achieves full domain compromise by extracting the Active Directory database (NTDS.dit) from the domain controller (DC). They frequently utilize the Volume Shadow Copy Service (VSS) via command-line utilities like vssadmin to access NTDS.dit. This file serves as a centralized repository containing critical Active Directory data, including user accounts, hashed passwords, and other sensitive information. Leveraging a shadow copy of the volume hosting NTDS.dit allows Volt Typhoon actors to bypass file locking mechanisms present in a live Windows environment, which typically prevent direct access to NTDS.dit while the domain controller is operational.
Volt Typhoon likely employs offline password-cracking techniques to decipher these hashed passwords. They extract the hashes from the NTDS.dit file and then apply various methods, including brute force attacks, dictionary attacks, and sophisticated techniques like rainbow tables, to reveal the plaintext passwords. Successfully decrypting these passwords enables Volt Typhoon actors to gain elevated access and further infiltrate and manipulate the network.
Volt Typhoon subsequently infiltrates networks using elevated credentials, with a focus on accessing Operational Technology (OT) assets. They've tested access to domain-joined OT assets using default vendor credentials. Additionally, they can exploit compromised credentials from NTDS.dit theft to access OT systems. This access allows them to potentially manipulate HVAC systems, disrupt energy and water controls, and cause significant infrastructure failures. In one confirmed case, Volt Typhoon actors moved laterally to a control system and were poised to access a second one.
Volt Typhoon gains access to legitimate accounts and then operates discreetly within the compromised environment. It has become obvious that their focus is primarily on maintaining persistence rather than immediate exploitation. This approach is evident in their methodical re-targeting of the same organizations over extended periods, spanning several years. They meticulously exfiltrate domain credentials, ensuring ongoing access to current and valid accounts. For instance, in one known and documented compromise, Volt Typhoon extracted NTDS.dit from three domain controllers over four years. In another case, they did so twice from a victim within nine months.
Volt Typhoon maintains silence on the network after credential dumping and discovery, refraining from data exfiltration. This aligns with observations by U.S. agencies, suggesting their goal is persistent network access. In a confirmed compromise, an industry partner witnessed Volt Typhoon actors regularly dumping credentials.
Beyond stolen account credentials, the use of Living Off the Land (LOTL) techniques helps the threat actors avoid leaving any detectable malware artifacts. The careful use of log deletion conceals their actions within the compromised environment. Volt Typhoon maintains an unwavering focus on stealth and operational security, which ensures long-term, undetected persistence.
The CISA February alert on Volt Typhoon recommends that critical infrastructure organizations implement the listed mitigations and proactively search for similar malicious activity. These guidelines, along with the recommendations from the joint guide "Identifying and Mitigating Living Off the Land Techniques," target IT and OT administrators within critical infrastructure entities. By following these mitigations, organizations can disrupt Volt Typhoon's access and mitigate the threat to critical infrastructure.
Volt Typhoon serves as a reminder that we venture further into uncharted waters. We are managing our organizations in the crosshairs of a nation-state-sponsored threat actor. Their demand? Not a ransom, but to shut us completely down and damage our ongoing operations at a moment of their choosing.
Threat intelligence serves as a critical weapon in defending your enterprise. Much of the information about threat actors and their tools that your organization is likely to encounter may already be accessible if you have the right threat intelligence tools. Leveraging threat intelligence enables you to make informed decisions, minimizing your exposure to potential attacks, and allowing for swift detection, mitigation, and recovery during ongoing attacks.
Threat intelligence helps to provide a comprehensive view of cyber threats. It reveals the identity, motivations, and methods of attackers. By understanding their chosen tactics and techniques, organizations can proactively defend against potential assaults. |
Infoblox combines market-leading DNS expertise with cutting-edge data science to identify threat actor infrastructure before the actors use it. Through several sophisticated algorithms, suspicious and malicious domains are detected from various data sources. These detections are correlated and connected to threat actor infrastructure to allow a holistic view of the threat landscape.
By providing advanced information to preemptively block domains that later turn malicious, we outpace most other threat intelligence sources. With Infoblox, your team can leverage the potent value of DNS-centric threat intelligence while maintaining unified security policies across your entire infrastructure. BloxOne Threat Defense uses Infoblox Threat Intel to see and stop critical threats before other security systems, while ensuring critical domains are not blocked.
Infoblox DNS Detection and Response (DNSDR) works with other security controls and your XDR Architecture to help strengthen your Defense-in-Depth strategy. The goal? To modernize your Defense-in-Depth strategy, reduce risk, and boost the return on investment of your security program.
To learn more about suspicious domains and DNS early detection:
https://www.infoblox.com/threat-intel/
To learn more about BloxOne Threat Defense:
https://www.infoblox.com/products/bloxone-threat-defense/
To learn more about Threat Insight:
https://insights.infoblox.com/resources-datasheets/infoblox-datasheet-threat-insight
To learn more about the National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA) guidance on Protective DNS:
https://media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_PROTECTIVE%20DNS_UOO117652-21.PDF