The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Volt Typhoon Targets US Critical Infrastructure

Jun 5, 2023 2:07:00 PM / by The Hivemind

VOLTVerticals Targeted: Critical Infrastructure, Communications, Manufacturing, Utility, Transportation, Construction, Maritime, Government, Information Technology, Education

Executive Summary

Volt Typhoon was discovered targeting critical infrastructure entities in the US mainland and Guam. Volt Typhoon maintained stealth throughout this espionage campaign.

Key Takeaways

  • Volt Typhoon targeted critical infrastructure entities in the US mainland and Guam.
  • The group is a state-sponsored China nexus threat actor group with a focus on espionage.
  • Volt Typhoon maintained stealth during the campaign by using living-off-the-land techniques and hands-on keyboard activity.

The Campaign

Microsoft recently reported on Volt Typhoon activity targeting US critical infrastructure. Targets included critical structure entities in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education verticals. The targets were located in the mainland US as well as Guam. The US Navy was reportedly one of the entities affected by these attacks. CISA issued an alert related to this activity.

The threat actors gained initial access to the target environment via internet-facing Fortinet and FortiGuard devices. Microsoft noted Volt Typhoon appeared to remain undetected for as long as possible and behaved in ways that indicated espionage was their intent.

The threat actors leveraged both living-off-the-land techniques and hands-on keyboard activity. Volt Typhoon used command line to collect data and credentials, to archive the data and stage it for exfiltration, and to use the stolen credentials for stealthy persistence. While they primarily used valid credentials to access compromised systems, in some instances, Volt Typhoon created proxies on compromised systems to facilitate access using the netsh portproxy command.

Volt Typhoon attempted to blend into normal network activity, using compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware. This allowed them to maintain a low profile and also saved on the cost of acquiring infrastructure to use for the attacks. They also used custom versions of open-source tools to conduct C2 over proxy.

Who is Volt Typhoon?

Volt Typhoon, also known as Bronze Silhouette,  is an espionage-focused China nexus state-sponsored threat actor group. The group has been active since at least 2021. Volt Typhoon is known to use LoLbins and web shells in many of their attacks. The industry has very little information on Volt Typhoon at this time.

IOCs

PolySwarm has multiple samples associated with this activity.

 

e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95

6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff

8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2

3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

F4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f VoltTyphoon

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: US, Critical Infrastructure, China, Energy, Volt Typhoon, Guam

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More