Resources | Picus Security

Volt Typhoon Explained: Living Off the Land Tactics for Cyber Espionage

Written by Picus Labs | Dec 23, 2024 12:13:28 PM

Volt Typhoon, also known as Bronze Silhouette and Vanguard Panda, is a prominent advanced persistent threat actor within the global cybersecurity domain. This group is widely believed to be state-sponsored, with strong ties to Chinese cyber operations. Volt Typhoon has gained notoriety for its sophisticated cyber espionage campaigns, which have targeted critical infrastructure sectors, particularly in the United States. The group's activities reflect the ongoing geopolitical tensions and the strategic importance of cybersecurity in national defense.

Volt Typhoon has been implicated in targeting U.S.-based critical infrastructure entities, highlighting the potential for significant disruption and damage. Their state-sponsored backing, coupled with their sophisticated TTPs, positions them as a formidable adversary in the cyber threat landscape.

This blog explains the intricate operations of Volt Typhoon, examining their methodologies, the tools they employ, and the specific industries they target. By analyzing real-world incidents and leveraging insights from various threat intelligence reports, we provide a comprehensive understanding of Volt Typhoon's impact on global cybersecurity. 

Who is Volt Typhoon APT Group?

Emerging as a prominent player in the cyber espionage space, Volt Typhoon is widely recognized for its alignment with Chinese state-sponsored activities. This affiliation is a good indicator of its primary motivation: geopolitical espionage, particularly targeting critical infrastructure and sensitive information to advance national interests.

Origin and Affiliations

Volt Typhoon first gained attention as part of a broader wave of Chinese APT campaigns, which also includes groups like Salt Typhoon and Flax Typhoon. These groups have been instrumental in executing state-sponsored cyber operations. Volt Typhoon has been linked to the Chinese government, suggesting a direct line to state-driven cyber objectives.

Evolution and Campaigns

Volt Typhoon is known for its adaptive strategies and expanding target scope. Initially, the group focused on exploiting vulnerabilities in critical infrastructure organizations. Volt Typhoon has consistently targeted US-based entities, leveraging its expertise to infiltrate and gather intelligence. Over time, the group has refined its techniques, incorporating advanced methods such as the abuse of Living-off-the-Land Binaries (LOLBins) to evade detection [1].

The APT group is also resilient against major disruptions. For instance, following an FBI disruption of their malware botnet, Volt Typhoon swiftly rebuilt its infrastructure [2]. The group's ability to recover and continue operations highlights the group's commitment to its objectives and its capacity to sustain prolonged campaigns. Its evolution from early campaigns to recent operations showcases a trajectory of increasing sophistication and resilience.

Notable Characteristics

Volt Typhoon distinguishes itself from other threat actors through its sophisticated use of adversary techniques. The group's operations are characterized by a high degree of stealth and persistence, often employing tactics that blend seamlessly into normal network traffic. This approach makes detection challenging and requires defenders to implement advanced threat hunting and monitoring strategies.

Furthermore, Volt Typhoon's strategic targeting of critical infrastructure aligns with its geopolitical motivations. By focusing on sectors that are vital to national security and economic stability, the group aims to gather intelligence that can provide a strategic advantage to its state sponsors.

Notable Cyber Incidents & Victimology of Volt Typhoon Threat Group

Volt Typhoon has been involved in several high-profile cyber incidents that have targeted critical infrastructure and sensitive data worldwide. This section delves into some of the most significant attacks attributed to Volt Typhoon, highlighting their objectives, methodologies, and impacts.

U.S. Critical Infrastructure Targeting (2023)

In 2023, Volt Typhoon emerged as a significant threat actor targeting U.S. critical infrastructure [3]. Their activities were focused on sectors pivotal to national security and daily operations, including energy, telecommunications, and transportation. By targeting these sectors, Volt Typhoon aimed to gather intelligence that could provide strategic advantages in geopolitical contexts.

To gain initial access, Volt Typhoon exploited known vulnerabilities in publicly exposed systems and employed spear-phishing campaigns to deceive victims into revealing credentials or downloading malicious payloads. Once inside the targeted networks, the group demonstrated a sophisticated understanding of defensive mechanisms by leveraging Living-Off-the-Land Binaries (LOLBins). These binaries are legitimate tools, such as PowerShell, that are native to operating systems. By utilizing them for malicious purposes, Volt Typhoon effectively concealed their activities within normal network traffic, complicating detection efforts by traditional security tools.

A hallmark of Volt Typhoon's operations was their use of self-signed certificates. These certificates, such as one identified as "jdyfj," allowed them to establish secure communication channels with their command-and-control (C2) servers while evading monitoring systems. 

The impact of these attacks extended beyond the immediate compromise of critical infrastructure. By infiltrating organizations responsible for essential services, Volt Typhoon exposed systemic vulnerabilities that could potentially disrupt operations on a national scale. This posed risks not only to the affected organizations but also to broader economic stability and public safety. The stolen intelligence could be leveraged for strategic purposes, such as understanding the vulnerabilities of U.S. infrastructure or preparing for future disruptive activities.

Espionage Campaigns in Asia-Pacific (2024)

In 2024, Volt Typhoon significantly expanded its cyber operations to target entities in the Asia-Pacific region. This espionage campaign demonstrated the group's growing ambition and sophistication as it sought to acquire valuable political and economic intelligence from government and private sector organizations in the region. The primary objective of this campaign was to gather sensitive information that could be leveraged to shape foreign policy and influence economic negotiations, particularly those involving China's strategic interests in the region.

Volt Typhoon's activities in Asia-Pacific involved advanced cyber tactics, including the use of zero-day vulnerabilities, social engineering attacks, and the deployment of custom malware to infiltrate targeted networks. The campaign was marked by stealth, with Volt Typhoon using advanced obfuscation techniques to avoid detection. Their operations were tailored to each target, indicating a highly adaptable and focused approach.

One of the primary targets of this campaign was a variety of governmental institutions, including ministries of defense, foreign affairs, and economic departments. These organizations often hold sensitive information crucial to understanding the political dynamics and economic strategies of different nations. By compromising these entities, Volt Typhoon sought to gain insight into the inner workings of governments, potentially acquiring classified documents, communications, and strategic plans that could provide a geopolitical advantage.

Additionally, Volt Typhoon targeted private sector companies in the Asia-Pacific region, especially those involved in critical industries such as telecommunications, energy, and technology. These sectors are vital not only to national economies but also to global supply chains, making them highly attractive for espionage. Volt Typhoon's attacks in this domain were aimed at stealing intellectual property, proprietary data, and trade secrets, which could be used to benefit state-sponsored industries or disrupt competitors.

The group's use of advanced tools like custom malware and backdoors allowed them to exfiltrate large volumes of data over extended periods, often without triggering security alarms. By establishing persistence in compromised networks, Volt Typhoon could monitor communications, track economic trends, and access sensitive discussions that could influence China's geopolitical goals. This focus on data exfiltration and espionage underscores the broader, strategic nature of Volt Typhoon's activities, which are often aimed at long-term intelligence gathering rather than immediate disruption.

Malware Botnet Reconstruction (2024)

In 2024, one of the more striking examples of Volt Typhoon's persistence and adaptability in cyber operations came when the U.S. government successfully disrupted one of its malware botnets [4]. This botnet had been used by Volt Typhoon to conceal their activities, particularly their targeted attacks on critical infrastructure. The malware was designed to infiltrate and compromise small office and home office (SOHO) routers, which are commonly used by businesses and individuals for internet access. These devices were repurposed to serve as backdoors into larger networks, allowing the group to remain undetected while infiltrating sensitive systems.

The disruption of this botnet was a significant blow to Volt Typhoon, but it was not a fatal one. Despite the setback, the group quickly demonstrated its resilience by rebuilding its malware infrastructure. They re-established control over compromised networks, continuing their campaign with minimal disruption. Volt Typhoon utilized encrypted communications and decentralized infrastructure to bypass detection, a strategy that made it much harder for cybersecurity teams to trace and neutralize their efforts. The rapid reconstruction of the botnet shows the difficulty in defending against such persistent and resourceful adversaries. Even after a disruption, the group's ability to swiftly recover and resume operations demonstrated the importance of continuous monitoring and adaptive defense strategies.

Analyzing Volt Typhoon's Advanced Tactics, Techniques, and Procedures

Volt Typhoon has been observed employing a range of adversary tactics and techniques. This section provides a comprehensive overview of these TTPs, highlighting how Volt Typhoon operates across various stages of the cyber attack lifecycle. 

Initial Access - TA0001

Technique: Valid Accounts (T1078)

This approach allows the threat actor to bypass many security controls that typically protect networks by focusing on credential-based access rather than exploiting software vulnerabilities. By using valid credentials, Volt Typhoon can infiltrate systems undetected, as the activity appears to be coming from legitimate, trusted users.

The process begins with Volt Typhoon either acquiring or guessing valid credentials for users within the target organization. These credentials may be harvested through various methods, with phishing campaigns being one of the most common. In such attacks, the group may employ spear-phishing emails that trick users into disclosing their login credentials. The emails might contain links to fraudulent login pages or attachments that deploy malware when opened. These pages are designed to look like legitimate login interfaces for commonly used services, such as email or VPN portals, which increases the likelihood of users entering their credentials.

Execution - TA0002

Technique: Command and Scripting Interpreter (T1059)

This technique involves the use of built-in command-line tools such as PowerShell on Windows systems and Bash on Linux-based systems, both of which are trusted by security solutions. These tools provide the attackers with a powerful means of interacting with and controlling the target system without triggering traditional security defenses.

PowerShell is often favored by adversaries like Volt Typhoon due to its wide presence on Windows environments and its extensive capabilities for automating system administration tasks. PowerShell can be used to execute malicious scripts directly, often relying on base commands that are native to the operating system.

A key strategy utilized by Volt Typhoon when executing commands is the use of Living off the Land Binaries(LOLBins). LOLBins are legitimate, pre-installed binaries and scripts that are available in the operating system or other software, which can be weaponized by attackers to execute malicious actions without needing to drop additional malware onto the system. Since these binaries are already trusted and commonly used for legitimate administrative purposes, they often evade detection by traditional antivirus or endpoint protection solutions.

Persistence - TA0003

Technique: Scheduled Task/Job (T1053)

This technique involves creating scheduled tasks or cron jobs that ensure the attacker's malicious payloads are executed at regular intervals or during system reboots. By leveraging legitimate task scheduling mechanisms in both Windows and Unix-like operating systems, Volt Typhoon is able to establish a foothold that survives even after the system restarts, making it more difficult for defenders to remove the malicious presence from the network.

Privilege Escalation - TA0004

Technique: Exploitation for Privilege Escalation (T1068)

Privilege escalation allows attackers to move beyond their initial low-level access and gain higher levels of control over systems, often achieving administrative or root privileges. This enables attackers to execute privileged commands, alter system configurations, and access sensitive data, thereby broadening their control and the scope of their attack.

Volt Typhoon typically exploits unpatched software vulnerabilities that grant attackers elevated privileges, often using exploits that are already publicly known. These vulnerabilities can reside in operating systems, applications, or services that are running outdated or unpatched versions. Since organizations may delay patching or fail to apply security updates, these unpatched systems become vulnerable targets for attackers seeking to escalate their access.

Defense Evasion - TA0005

Technique: Obfuscated Files or Information (T1027)

Volt Typhoon leverages multiple obfuscation strategies that exploit the inherent trust placed in legitimate processes and the challenges of analyzing encoded or encrypted content. One common approach involves encoding scripts using techniques such as Base64. For instance, PowerShell scripts, often used in Living off the Land (LotL) attacks, can be encoded into Base64 format. This technique conceals the script's plaintext commands, making it difficult for signature-based security tools to identify the script's malicious intent. Decoding these scripts requires deliberate analysis or execution, which is not always feasible in automated security pipelines.

Another method employed by Volt Typhoon involves the use of encrypted payloads. By encrypting malicious binaries or script content, attackers render their payloads unreadable without the correct decryption key. Encrypted payloads are typically delivered to the target system and decrypted at runtime using keys embedded within the attack chain. This strategy is particularly effective because static analysis tools cannot analyze the encrypted content, and runtime decryption only occurs after the payload has bypassed initial defenses.

Volt Typhoon also employs string obfuscation within scripts and binaries to evade detection during both runtime and analysis. Strings containing commands, URLs, or indicators of compromise (IOCs) are often obfuscated using substitution, encoding, or dynamic generation techniques. For instance, command strings may be broken into fragments and concatenated at runtime, or they might be stored as hexadecimal values that are decoded during execution. These techniques prevent static analysis tools from identifying the commands and thwart analysts attempting to trace the script's functionality.

Credential Access - TA0006

Technique: Credential Dumping (T1003)

Volt Typhoon uses credential dumping to collect credentials from various sources on Windows systems. One of the most notable tools used in this technique is Mimikatz, an open-source tool capable of extracting plaintext passwords, hashed credentials, and Kerberos tickets from memory. Mimikatz exploits the way Windows handles authentication, leveraging access to the Local Security Authority Subsystem Service (LSASS) process to retrieve stored credentials. For example, if an attacker gains administrative access to a system, they can execute Mimikatz to extract credentials stored in LSASS, including those of privileged accounts such as domain administrators.

Another method involves extracting credentials from the Windows Security Account Manager (SAM) database. The SAM file contains hashed passwords for local user accounts and can be accessed if an attacker has sufficient privileges. Tools such as pwdump or scripts leveraging Windows APIs can be used to extract these hashes, which can then be cracked offline using password-cracking tools like Hashcat. A related vector involves leveraging the NTDS.dit file on domain controllers, which contains Active Directory credentials. By dumping this file, attackers can harvest domain-wide account credentials, granting them extensive access to the environment.

Volt Typhoon may also employ techniques to extract credentials from the Windows registry, specifically targeting keys such as HKLM\SYSTEM\CurrentControlSet\Services\Credential Manager. These keys store cached credentials, which can be decrypted and used to access systems or applications. Additionally, attackers may target applications like browsers and password managers that store cached credentials for convenience. By accessing these applications' data stores, attackers can harvest credentials for external accounts or services.

Discovery - TA0007

Technique: Network Service Scanning (T1046)

Volt Typhoon conducts network service scanning to identify active services and open ports within a target network. By gathering detailed information about the network's architecture and its services, Volt Typhoon can strategically plan its lateral movement, privilege escalation, and exploitation activities.

Lateral Movement - TA0008

Technique: Remote Services (T1021)

Remote services such as Remote Desktop Protocol (RDP) and Secure Shell (SSH) are critical tools for lateral movement in Volt Typhoon's operational strategies. By exploiting these services, the group can move across a compromised network, expand their control, and further entrench themselves within the environment. Their use of valid credentials to authenticate into remote systems allows them to blend in with legitimate traffic, complicating detection efforts and giving them the ability to operate under the radar.

Volt Typhoon may gain access to RDP sessions by exploiting weak or reused credentials. For instance, attackers may obtain RDP credentials via credential dumping tools like Mimikatz, phishing campaigns, or brute-force attacks. Once they have access, they can establish a connection to remote systems using tools like the native Windows RDP client (mstsc.exe) or command-line utilities such as rdesktop. These sessions provide them with graphical access to target systems, allowing them to perform administrative actions, deploy tools, and conduct reconnaissance as if they were legitimate users.

Collection - TA0009

Technique: Data from Local System (T1005)

Volt Typhoon collects data from local systems to gather and exfiltrate sensitive information from compromised machines. This activity is a core aspect of their operations, enabling them to extract valuable intelligence such as documents, emails, configuration files, and other locally stored data. By automating the collection process, Volt Typhoon can efficiently gather large volumes of information, which can then be used for espionage or other malicious purposes.

The collection process typically begins after the group has established access to a system. Using tools such as command-line utilities, custom scripts, or legitimate applications available on the target machine, they search for files of interest. The choice of tools and methods often reflects their adherence to Living off the Land (LotL) techniques, which leverage pre-installed utilities to reduce the risk of detection.

For example, Volt Typhoon uses PowerShell to search for and collect files matching specific criteria, such as those with extensions .docx, .xlsx, .pdf, or .pst. A simple script using PowerShell's Get-ChildItem cmdlet can recursively search directories for files with these extensions, which are then staged for exfiltration. Similarly, Unix-based systems might see attackers using native commands like find or grep to locate and collect sensitive data.

Exfiltration - TA0010

Technique: Exfiltration Over C2 Channel (T1041)

Volt Typhoon employs exfiltration over command and control (C2) channels as a core technique for transferring stolen data from compromised environments to their own infrastructure. This method ensures that data is exfiltrated discreetly, leveraging the same encrypted communication channels used for maintaining control over compromised systems. This approach minimizes the risk of detection by traditional network monitoring tools, which often struggle to distinguish malicious traffic from legitimate encrypted traffic.

The process begins once Volt Typhoon has collected the desired data, typically by leveraging techniques like local file collection or data staging. The collected data is often compressed and encrypted, ensuring its confidentiality and reducing its size for more efficient transfer. Tools like 7-Zip or custom encryption scripts may be used to prepare the data before exfiltration.

The attackers then use their established C2 infrastructure, which may include compromised servers, legitimate cloud services, or domain fronting techniques, to transmit the data. For instance, Volt Typhoon might utilize HTTPS-based C2 channels, embedding the exfiltration traffic within encrypted web requests. This tactic blends malicious activity with normal web browsing or API communication, evading detection by intrusion detection systems (IDS) or data loss prevention (DLP) tools.

Command and Control - TA0011

Technique: Application Layer Protocol (T1071)

Volt Typhoon uses application layer protocols such as HTTP, HTTPS, and DNS for command and control (C2) communications, leveraging their ubiquity and inherent trust in network environments. These protocols are essential for normal internet operations, making them less likely to be blocked by firewalls or flagged by network monitoring tools. This technique allows the group to maintain persistent communication with compromised systems, execute commands, and exfiltrate data while blending into legitimate traffic.

HTTP and HTTPS are particularly favored for their flexibility and wide acceptance. By embedding commands and responses within HTTP requests and responses or by encrypting their communications over HTTPS, Volt Typhoon can evade many traditional security measures. For example, they use an HTTPS POST request to send data or a GET request to retrieve additional payloads or commands. Since HTTPS encrypts traffic end-to-end, it prevents intrusion detection systems (IDS) from inspecting the contents of the traffic unless decryption is applied. Additionally, by using legitimate domain names or domain fronting, their activities become even harder to identify.

DNS is another protocol exploited by Volt Typhoon for C2 purposes. DNS tunneling, a method of encoding data within DNS queries and responses, is a common tactic. Attackers can embed commands, exfiltrated data, or even entire payloads within the alphanumeric structure of DNS records. Since DNS is critical for name resolution in networks, it is rarely blocked or deeply inspected, making it an ideal channel for covert communication.

Impact - TA0040

Technique: Data Destruction (T1485)

Data destruction is one of the more destructive tactics employed by adversaries like Volt Typhoon. This tactic serves dual purposes: it can severely disrupt the operations of the targeted organization and obscure the attacker's trail by erasing evidence of their activities. Volt Typhoon's application of data destruction reflects their strategic intent, which could range from creating chaos to hindering forensic investigations.

One approach involves deleting or overwriting critical files, rendering them unrecoverable. They target databases, configuration files, or backups that are essential to the victim's operations. By overwriting data with random bytes or specific patterns, attackers can ensure that even advanced recovery techniques cannot restore lost information. 

Another method involves formatting drives or partitions, effectively removing all data stored on them. For example, adversaries can use native commands like format in Windows environments or mkfs in Linux systems to erase and reinitialize the file system. This method is particularly devastating as it not only destroys active files but also eliminates the file system structure itself, complicating recovery efforts.

Mitigation And Defense Strategies

The CISA, in collaboration with the FBI and the NSA, has issued guidance to mitigate cyber threats posed by Volt Typhoon, a state-sponsored actor affiliated with the People's Republic of China.

Key recommendations include:

Enhanced Network Visibility and Monitoring

  • Implement Out-of-Band Management: Utilize a physically separate management network to prevent unauthorized access and lateral movement within operational networks. 

  • Strict Access Control Lists (ACLs): Adopt a default-deny ACL strategy to regulate inbound and outbound traffic, ensuring all denied traffic is logged for analysis. 

Network Segmentation and Defense-in-Depth

  • Employ Strong Network Segmentation: Use router ACLs, stateful packet inspection, firewalls, and demilitarized zones (DMZs) to isolate different device groups and services, reducing the attack surface. 

  • Isolate Externally Facing Services: Place services like DNS, web servers, and mail servers in a DMZ to separate them from internal networks and backend resources. 

Patch Management and System Hardening

  • Apply Patches for Internet-Facing Systems: Prioritize updating critical vulnerabilities, especially in appliances frequently targeted by threat actors.

  • Plan for Technology Lifecycle: Establish end-of-life plans for technologies beyond the manufacturer's supported lifecycle to ensure systems remain secure. 

Multi-Factor Authentication (MFA)

  • Implement Phishing-Resistant MFA: Deploy MFA solutions that are resistant to phishing attacks to enhance account security and prevent unauthorized access. 

Logging and Incident Response

  • Enable Comprehensive Logging: Ensure logging is active for application, access, and security events, and store logs centrally to facilitate monitoring and incident response. 

Adopt Secure by Design Principles

  • Incorporate Security in Development: Encourage software manufacturers to embed security throughout the development lifecycle to strengthen the overall security posture of their products. 

By implementing these strategies, organizations can bolster their defenses against sophisticated cyber threats like Volt Typhoon, safeguarding critical infrastructure and sensitive information.

Lessons Learned from Volt Typhoon: Effective Strategies for Defending Against APT Attacks

Volt Typhoon, also known by aliases such as Bronze Silhouette and Vanguard Panda, is primarily linked to Chinese state-sponsored cyber activities. This group has been active in targeting critical infrastructure, particularly in the United States. Their operations have not only disrupted services but have also raised concerns about national security, given the strategic importance of the targeted sectors.

Volt Typhoon's tactics, techniques, and procedures (TTPs) are well-documented and mapped to the MITRE ATT&CK framework, providing valuable insights into their operational methods. The group's behaviors include the use of living-off-the-land binaries (LOLBins) to evade detection, a strategy that complicates defensive measures. This approach allows them to blend into legitimate network activities, thereby reducing the likelihood of being detected by conventional security solutions. Understanding the evolving threat landscape and the specific TTPs employed by groups like Volt Typhoon is crucial for developing effective defense strategies. Organizations must prioritize threat intelligence and continuous monitoring to detect and mitigate potential threats before they can cause significant harm.

In conclusion, Volt Typhoon represents a persistent and evolving threat that requires constant vigilance and adaptation from cybersecurity professionals. By staying informed about their activities and continuously enhancing defensive capabilities, organizations can better protect themselves against the sophisticated attacks orchestrated by this threat actor. As the cyber threat landscape continues to evolve, maintaining a proactive and informed stance will be essential in safeguarding critical infrastructure and sensitive data from adversaries like Volt Typhoon.

References

[1] H. C. Yuceel, "Volt Typhoon: The Chinese APT Group Abuse LOLBins for Cyber Espionage," Jun. 01, 2023. Available: https://www.picussecurity.com/resource/blog/volt-typhoon-the-chinese-apt-group-abuse-lolbins-for-cyber-espionage

[2] B. Toulas, "Volt Typhoon rebuilds malware botnet following FBI disruption," BleepingComputer, Nov. 12, 2024. Available: https://www.bleepingcomputer.com/news/security/volt-typhoon-rebuilds-malware-botnet-following-fbi-disruption/

[3] M. T. Intelligence, "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques," Microsoft Security Blog, May 24, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

[4] "[No title]." Available: https://www.cyber.nj.gov/Home/Components/News/News/1510/214