Origin and Discovery

Volt Typhoon, a sophisticated state-sponsored hacker group from China, has been implicated in various cyber espionage activities targeting critical infrastructure in the United States and its territories. The group has been known by multiple aliases, including Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus. These activities align with broader trends in Chinese state-sponsored hacking observed over recent years. The discovery of Volt Typhoon's activities was publicly announced by security analysts at Microsoft in May 2023, though some experts believe that the group may have been active since mid-2021 or even earlier. Volt Typhoon has primarily targeted systems related to communications, energy, transportation, and water and wastewater services, demonstrating a particular focus on critical infrastructure components. The group employs a variety of techniques to gain initial access, including exploiting unpatched vulnerabilities and using phishing tactics.

One of the notable aspects of Volt Typhoon's operations is its use of "living-off-the-land" (LOTL) techniques, which involve leveraging native tools and processes within the operating systems to blend in with normal network traffic and evade detection. This method has made it challenging for cybersecurity defenders to accurately trace and mitigate their activities, as the group can hide within compromised systems and use them as a base for future attacks. The United States government, alongside its key international intelligence partners known as the Five Eyes, issued a formal warning on March 19, 2024, about the ongoing threat posed by Volt Typhoon. Despite these findings, the Chinese government has consistently denied engaging in any form of offensive cyberespionage. The persistent and adaptable nature of Volt Typhoon's tactics continues to pose significant challenges for cybersecurity efforts worldwide.

Technical Characteristics

Volt Typhoon, also known as Insidious Taurus, exhibits sophisticated tactics and techniques typical of a state-sponsored advanced persistent threat (APT) group. A key technical characteristic of Volt Typhoon is its use of living-off-the-land techniques, which involve utilizing built-in network administration tools for malicious purposes. This approach allows the group to evade detection by mimicking legitimate network activity, making it difficult for security systems to differentiate between benign and malicious operations.

The group is adept at pre-compromise reconnaissance and is known to exploit both known and zero-day vulnerabilities in public-facing network appliances to gain initial access. One such vulnerability that was exploited by Volt Typhoon was the Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) in late 2021. Once inside the target environment, the group focuses on obtaining administrator credentials to further its objectives. Volt Typhoon employs a variety of custom and open-source tools to maintain persistence and facilitate data exfiltration. Notable tools include SockDetour, a custom backdoor designed to act as a backup should the primary backdoor be removed, and EarthWorm, a rarely used malware family. The group also customizes open-source tools such as Impacket and Fast Reverse Proxy to align with their operational needs.

The use of small office/home office (SOHO) network devices as intermediate infrastructure is another distinguishing feature of Volt Typhoon. By leveraging these devices, which often lack significant security protections and are rarely updated, the group can obscure its activity and create a covert data transfer network. This tactic, combined with hands-on keyboard activity instead of scripted automation, further complicates detection efforts.

Operations and Activities

Volt Typhoon, also known as Vault Typhoon, is an advanced persistent threat (APT) group that has been active since at least 2021, primarily targeting U.S. critical infrastructure. The group employs sophisticated stealth techniques known as living-off-the-land (LOTL), which involve using built-in system tools rather than deploying traditional malware, making detection significantly more challenging. Volt Typhoon’s activities have predominantly focused on communications infrastructure, particularly in strategically important locations such as Guam, which serves as a critical U.S. military hub.

The group typically gains initial access through compromised network devices, particularly Fortinet appliances. By exploiting these devices, Volt Typhoon extracts credentials and uses proxy devices such as SOHO routers and firewalls to maintain stealthy access. Once inside the target network, the group avoids using malware, instead relying on command-line tools like PowerShell and Windows Management Instrumentation (WMIC) for system discovery and credential theft. This approach allows them to exfiltrate data while minimizing detection risk.

Volt Typhoon has also demonstrated the ability to compromise Cisco RV320/325 devices, with reports indicating that up to 30% of these devices were impacted over a period of 37 days. The group uses these compromised devices to transfer stolen data or establish connections with target networks, further complicating detection efforts.

The strategic objectives of Volt Typhoon include pre-positioning within infrastructure systems to enable potential destructive attacks should tensions between China and the U.S. escalate. This long-term positioning highlights the group’s focus on cyber espionage and maintaining access to critical infrastructure sectors, including Communications, Energy, Transportation Systems, and Water and Wastewater Systems. In addition to targeting the United States, there is concern that similar activities could affect Canada, Australia, and New Zealand due to cross-border integration and vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA), along with other U.S. agencies, have released advisories emphasizing the need for robust cybersecurity measures to counteract the potential threat posed by Volt Typhoon.

Motivations and Objectives

Volt Typhoon, a state-sponsored cyber actor linked to the People's Republic of China (PRC), exhibits motivations and objectives distinct from traditional cyber espionage or intelligence gathering operations. The group's primary aim appears to be the pre-positioning within IT networks to potentially launch disruptive or destructive cyberattacks against U.S. critical infrastructure during a significant crisis or conflict with the United States. This strategic infiltration is targeted at sectors such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems within the continental and non-continental United States, including territories like Guam.

Volt Typhoon's activities extend beyond U.S. borders, potentially affecting allied nations like Canada, Australia, and New Zealand due to cross-border integration and shared critical infrastructure vulnerabilities. The PRC state-sponsored actors' objectives align with geopolitical interests, seeking to exert influence and maintain strategic advantages by compromising essential infrastructure that could be pivotal during geopolitical tensions or military conflicts.

Moreover, Volt Typhoon employs sophisticated techniques such as living off the land (LOTL), which enables long-term persistence within victim networks by utilizing legitimate tools and accounts to evade detection. The group conducts extensive reconnaissance and tailors its tactics, techniques, and procedures (TTPs) to fit the specific environment of their targets, showcasing a calculated approach to achieving their objectives. The long-term persistence and tailored operations reflect a commitment to maintaining access and understanding of the target environment over time, underlining their strategic goals.

Response and Mitigation

Governmental and Organizational Measures

The increased activity of the state-sponsored threat group Volt Typhoon, originating from the People's Republic of China, has prompted federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) to issue urgent warnings and advisories to organizations that own and operate U.S. critical infrastructure. These advisories are a part of a collaborative effort with international partners including agencies from Australia, Canada, the United Kingdom, and New Zealand to mitigate potential threats from this advanced persistent threat (APT) group.

Recommended Security Practices

Tenable Security Response Team has thoroughly examined Volt Typhoon's tactics, techniques, and procedures (TTPs) and offered specific recommendations for state and local governments to address and mitigate vulnerabilities. Key recommendations include applying patches to known vulnerabilities and enhancing holistic exposure management capabilities. This includes the implementation of technologies like vulnerability management, web application security, cloud security, and identity security to address potential exposures and enhance incident response workflows.

Cyber Hygiene and Best Practices

Organizations are advised to adopt proactive exposure management measures to identify and mitigate potential vulnerabilities before they can be exploited. Effective cyber hygiene practices are critical in this regard and involve maintaining visibility over IT, internet of things (IoT), and operational technology (OT) assets. These practices are essential to ensure a robust defense against the persistent and sophisticated threat posed by Volt Typhoon.

Funding and Resources

To support these mitigation efforts, state and local government officials have access to funding opportunities such as the Fiscal Year 2024 State and Local Cybersecurity Grant Program (SLCGP). This funding can be instrumental in bolstering the cybersecurity resilience of critical infrastructure and ensuring the continuity of essential services to communities.

Global Implications

Volt Typhoon's activities underscore significant global cybersecurity concerns, particularly regarding critical infrastructure. As a state-sponsored group allegedly backed by the People’s Republic of China (PRC), Volt Typhoon is part of a broader strategy to exploit digital vulnerabilities for geopolitical gains. This group's operations extend beyond mere cyber espionage, as they have been observed pre-positioning themselves within vital infrastructure systems, potentially setting the stage for future disruptive attacks if geopolitical tensions escalate.

The group's focus on U.S. critical infrastructure, including sectors such as communications, energy, and transportation, raises alarms about the potential global impact of such cyber activities. By exploiting unpatched vulnerabilities and employing living-off-the-land (LOTL) techniques, Volt Typhoon effectively evades detection and sustains prolonged access within targeted networks. This not only poses a direct threat to the affected nations but also to their allies and global partners who rely on shared infrastructure and intelligence.

Moreover, Volt Typhoon's sophisticated techniques illustrate a broader trend in state-sponsored cyber campaigns that prioritize stealth and persistence over rapid, overt attacks. This evolution in cyber warfare complicates traditional defense mechanisms and necessitates international cooperation to devise comprehensive cybersecurity strategies. Global efforts to address these threats include enhancing information sharing among nations, adopting uniform cybersecurity standards, and increasing investments in cybersecurity infrastructure.

The activities of Volt Typhoon, alongside other similar APT groups, signify a shift in the nature of cyber threats from isolated incidents to sustained campaigns with potential global ramifications. As such, the international community must remain vigilant and proactive in combating these threats to safeguard not only national interests but also the stability of global networks and infrastructure.

Related Advanced Persistent Threats

Volt Typhoon is part of a broader landscape of Advanced Persistent Threat (APT) groups that are aligned with the geopolitical objectives of the People’s Republic of China (PRC). Alongside Volt Typhoon, other significant APT groups include Salt Typhoon, Flax Typhoon, and Velvet Ant. Each of these groups employs unique strategies, but they share a common focus on cyber espionage and targeting critical infrastructure.

Salt Typhoon

Salt Typhoon is another PRC state-sponsored actor that has gained notoriety for its sophisticated cyber operations. Like Volt Typhoon, Salt Typhoon targets critical infrastructure and employs techniques that align with China's strategic interests. While specific details about their operational tactics remain less publicized, their activities contribute to the broader PRC cyber threat landscape.

Flax Typhoon

Flax Typhoon focuses on network infiltration and data exfiltration, often targeting sectors that are crucial to national security. This APT group shares similarities with Volt Typhoon in terms of stealth and persistence, leveraging similar techniques to maintain access within compromised networks. Their operations underline the continuous threat posed by PRC-sponsored cyber activities.

Velvet Ant

Velvet Ant is distinguished by its focus on high-value espionage targets. This group, like its counterparts, is believed to be aligned with China's strategic goals, particularly in gathering intelligence and destabilizing adversary networks. The group's technical capabilities and focus on stealth operations contribute to its classification as a significant threat actor.

The activities of these groups underscore the persistent and evolving nature of cyber threats from state-sponsored actors, highlighting the importance of comprehensive cybersecurity measures to protect critical infrastructure.

Diagram: Volt Typhoon Operations

Diagram: Global Cybersecurity Concerns

In conclusion, Volt Typhoon represents a significant and ongoing cyber threat, necessitating vigilant and coordinated global cybersecurity efforts.