Five Eyes Joint Advisory on Volt Typhoon Chinese State-Sponsored Threat Actor

What You Need to Know

Earlier in February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) put out an alert on Volt Typhoon. Volt Typhoon, also known as Bronze Silhouette, is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon has in the past focused on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands-on keyboard activities, and stolen credentials.

In March 2024, the "Five Eyes" agencies released an advisory that builds upon the February advisory and provides explicit guidance to critical infrastructure owners and operators. According to the alert, the People's Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.

Critical Infrastructure is Everywhere

Critical infrastructure is not a short list. It is a huge list. It includes, at my count, about 16 industry sectors, most of which have many sub-sectors. CISA covers these in detail. Here are the full CISA definitions. This is my summary:

• Chemical Sector. The chemical sector includes four component sub-sectors which are basic chemicals, specialty chemicals, agricultural chemicals, and consumer products.
• Commercial Facilities Sector. The commercial facilities sector includes eight sub-sectors which are entertainment and media (motion pictures, broadcast media, etc.), gaming (casinos), lodging (hotels, motels, conference centers, rv parks, etc.), outdoor events (amusement parks, marathons, parks, etc.), public assembly (zoos, museums, aquariums, convention centers, stadiums, etc.) real estate (office buildings, apartment buildings, mixed-use facilities, etc.), retail (shopping malls) and sports leagues.
• Communications Sector. The Communications Sector underlies the operations of all businesses, public safety organizations, and government.
• Critical Manufacturing Sector. The Critical Manufacturing Sector includes several core sub-sectors, which include primary metals manufacturing, machinery manufacturing, electrical equipment, appliance and component manufacturing (electric motor manufacturing), and transportation equipment manufacturing (vehicles and commercial ships manufacturing).
• DAMS Sector. The Dams Sector includes more than 90,000 dams in the United State.
• Defense Industrial Base Sector. The Defense Industrial Base Sector (100,000+ contractors) is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.
• Emergency Services Sector. The Emergency Services Sector (ESS) includes facilities and equipment organized primarily at the federal, state, local, tribal, and territorial levels of government, such as city police departments and fire stations, county sheriff's offices, Department of Defense police and fire departments, and town public works departments.
• Energy Sector. The Energy Infrastructure is divided into three interrelated segments: electricity, oil, and natural gas. The U.S. electricity segment contains more than 6,413 power plants (this includes 3,273 traditional electric utilities and 1,738 non utility power producers) with approximately 1,075 gigawatts of installed generation.
• Financial Services Sector. The Financial Services Sector includes thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions.
• Food and Agricultural Sector. The Food and Agriculture Sector is almost entirely under private ownership and is composed of an estimated 2.1 million farms; 935,000 restaurants; and more than 200,000 registered food manufacturing, processing, and storage facilities. This sector accounts for roughly one-fifth of the nation's economic activity.
• Government Facilities Sector. The Government Facilities Sector includes a wide variety of buildings, located in the United States and overseas, that are utilized by federal, state, local, and tribal governments. Sub-sectors include Education, National Monuments and Icons, and the Election Infrastructure Sub-sector.
• Healthcare and Public Health Sector. The Healthcare and Public Health Sector protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters.
• Information Technology Sector. The Information Technology Sector is central to the nation's security, economy, and public health and safety as businesses, governments, academia, and private citizens are increasingly dependent upon Information Technology Sector functions.
• Nuclear Reactors, Materials, and Waste Sector. This sector we expect, but it never fails to capture my attention each time we dig into it. This is, for all the reasons you already know, perhaps the most frightening sector if compromised. Everything here spells Danger with a capital "D." The Nuclear Reactors, Materials, and Waste Sector includes 92 Active Power Reactors in 30 states. 31 Research and Test Reactors located at universities and national labs. 8 Active Nuclear Fuel Cycle Facilities that are responsible for the production and reprocessing of nuclear reactor fuel. More than 20,000 licensed users of radioactive sources. These radioactive sources are used for medical diagnostics and treatment in hospitals, as well as many other applications.
• Transportation Systems Sector. The Transportation Systems Sector consists of seven key sub sectors including Aviation, Highway and Motor Carrier, Maritime Transportation, Mass Transit and Passenger Rail, Pipeline Systems, Freight Rail Postal and Shipping.
• Water and Wastewater Systems for public drinking water waste management. Utilities are always targets. Back in 2021, we published this blog on a successful breach of a water treatment plant in pursuit of harming the water supply: https://blogs.infoblox.com/security/state-and-local-government-under-attack/. We expect this type of malicious activity to increase under the auspices of Volt Typhoon.

Volt Typhoon Has Compromised the IT Environments of Multiple Organizations Already

U.S. agencies confirm that Volt Typhoon has infiltrated critical infrastructure organizations, primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. As noted earlier, unlike typical cyber espionage, Volt Typhoon's activity suggests they are pre-positioning on IT networks to disrupt functions at a future date by targeting OT assets.

U.S. agencies need to be very wary of these threat actors potentially exploiting their network access during geopolitical tensions or military conflicts. Volt Typhoon employs living off the land (LOTL) techniques, targeting critical infrastructure. Their reliance on valid accounts and robust operational security enables long-term, undetected persistence.

Volt Typhoon actors meticulously conduct pre-exploitation reconnaissance to understand the target organization and its environment. They then customize their tactics, techniques, and procedures (TTPs) to suit the victim's context. These actors allocate ongoing resources to ensure long-term persistence and a deep understanding of the target environment, even beyond the initial compromise.

Volt Typhoon - The Anatomy of the Attack

Volt Typhoon actors adapt their tactics, techniques, and procedures (TTPs) to match the victim's environment. They consistently display a repetitive behavior pattern across the intrusions they've participated in.

Volt Typhoon meticulously conducts pre-compromise reconnaissance to understand the target organization's network architecture and operational protocols. Their reconnaissance efforts include identifying network topologies, security measures, typical user behaviors, and key network and IT personnel by name.

To enhance operational security, Volt Typhoon avoids using compromised credentials during non-working hours to prevent triggering security alerts. They extensively research victim-owned sites, gathering information about the organization's staff, network, and IT administrators. Additionally, they focus on the personal email accounts of critical network and IT personnel. The group gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (such as routers, virtual private networks, and firewalls).

Subsequently, they establish a connection to the victim's network via VPN for follow-on activities. Their ultimate objective is to acquire administrator credentials within the network, often exploiting privilege escalation vulnerabilities in the operating system or network services. With valid administrator credentials, Volt Typhoon laterally moves to the domain controller (DC) and other devices using remote access services like Remote Desktop Protocol (RDP).

Volt Typhoon quietly explores the victim's network, utilizing Living-Off-The-Land (LOTL) binaries for stealth. A critical tactic involves leveraging PowerShell to query Windows event logs selectively, focusing on specific users and time periods. By extracting security event logs into .dat files, Volt Typhoon gathers crucial information while evading detection. This strategic blend of pre-compromise reconnaissance and meticulous post-exploitation intelligence collection underscores their highly sophisticated cyber approach.

Volt Typhoon achieves full domain compromise by extracting the Active Directory database (NTDS.dit) from the domain controller (DC). They frequently utilize the Volume Shadow Copy Service (VSS) via command-line utilities like vssadmin to access NTDS.dit. This file serves as a centralized repository containing critical Active Directory data, including user accounts, hashed passwords, and other sensitive information. Leveraging a shadow copy of the volume hosting NTDS.dit allows Volt Typhoon actors to bypass file locking mechanisms present in a live Windows environment, which typically prevent direct access to NTDS.dit while the domain controller is operational.

Volt Typhoon likely employs offline password-cracking techniques to decipher these hashed passwords. They extract the hashes from the NTDS.dit file and then apply various methods, including brute force attacks, dictionary attacks, and sophisticated techniques like rainbow tables, to reveal the plaintext passwords. Successfully decrypting these passwords enables Volt Typhoon actors to gain elevated access and further infiltrate and manipulate the network.

Volt Typhoon subsequently infiltrates networks using elevated credentials, with a focus on accessing Operational Technology (OT) assets. They've tested access to domain-joined OT assets using default vendor credentials. Additionally, they can exploit compromised credentials from NTDS.dit theft to access OT systems. This access allows them to potentially manipulate HVAC systems, disrupt energy and water controls, and cause significant infrastructure failures. In one confirmed case, Volt Typhoon actors moved laterally to a control system and were poised to access a second one.

Volt Typhoon gains access to legitimate accounts and then operates discreetly within the compromised environment. It has become obvious that their focus is primarily on maintaining persistence rather than immediate exploitation. This approach is evident in their methodical re-targeting of the same organizations over extended periods, spanning several years. They meticulously exfiltrate domain credentials, ensuring ongoing access to current and valid accounts. For instance, in one known and documented compromise, Volt Typhoon extracted NTDS.dit from three domain controllers over four years. In another case, they did so twice from a victim within nine months.

Volt Typhoon maintains silence on the network after credential dumping and discovery, refraining from data exfiltration. This aligns with observations by U.S. agencies, suggesting their goal is persistent network access. In a confirmed compromise, an industry partner witnessed Volt Typhoon actors regularly dumping credentials.

Beyond stolen account credentials, the use of Living Off the Land (LOTL) techniques helps the threat actors avoid leaving any detectable malware artifacts. The careful use of log deletion conceals their actions within the compromised environment. Volt Typhoon maintains an unwavering focus on stealth and operational security, which ensures long-term, undetected persistence.

Recommended Mitigations for Volt Typhoon

The CISA February alert on Volt Typhoon recommends that critical infrastructure organizations implement the listed mitigations and proactively search for similar malicious activity. These guidelines, along with the recommendations from the joint guide "Identifying and Mitigating Living Off the Land Techniques," target IT and OT administrators within critical infrastructure entities. By following these mitigations, organizations can disrupt Volt Typhoon's access and mitigate the threat to critical infrastructure.

Leveraging Threat Intelligence as a Strategic Weapon for Your Defense

Volt Typhoon serves as a reminder that we venture further into uncharted waters. We are managing our organizations in the crosshairs of a nation-state-sponsored threat actor. Their demand? Not a ransom, but to shut us completely down and damage our ongoing operations at a moment of their choosing.

Threat intelligence serves as a critical weapon in defending your enterprise. Much of the information about threat actors and their tools that your organization is likely to encounter may already be accessible if you have the right threat intelligence tools. Leveraging threat intelligence enables you to make informed decisions, minimizing your exposure to potential attacks, and allowing for swift detection, mitigation, and recovery during ongoing attacks.

Infoblox combines market-leading DNS expertise with cutting-edge data science to identify threat actor infrastructure before the actors use it. Through several sophisticated algorithms, suspicious and malicious domains are detected from various data sources. These detections are correlated and connected to threat actor infrastructure to allow a holistic view of the threat landscape.

By providing advanced information to preemptively block domains that later turn malicious, we outpace most other threat intelligence sources. With Infoblox, your team can leverage the potent value of DNS-centric threat intelligence while maintaining unified security policies across your entire infrastructure. BloxOne Threat Defense uses Infoblox Threat Intel to see and stop critical threats before other security systems, while ensuring critical domains are not blocked.

Infoblox DNS Detection and Response (DNSDR) works with other security controls and your XDR Architecture to help strengthen your Defense-in-Depth strategy. The goal? To modernize your Defense-in-Depth strategy, reduce risk, and boost the return on investment of your security program.

For Additional Information