The Campaign
Microsoft recently reported on Volt Typhoon activity targeting US critical infrastructure. Targets included critical structure entities in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education verticals. The targets were located in the mainland US as well as Guam. The US Navy was reportedly one of the entities affected by these attacks. CISA issued an alert related to this activity.
The threat actors gained initial access to the target environment via internet-facing Fortinet and FortiGuard devices. Microsoft noted Volt Typhoon appeared to remain undetected for as long as possible and behaved in ways that indicated espionage was their intent.
The threat actors leveraged both living-off-the-land techniques and hands-on keyboard activity. Volt Typhoon used command line to collect data and credentials, to archive the data and stage it for exfiltration, and to use the stolen credentials for stealthy persistence. While they primarily used valid credentials to access compromised systems, in some instances, Volt Typhoon created proxies on compromised systems to facilitate access using the netsh portproxy command.
Volt Typhoon attempted to blend into normal network activity, using compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware. This allowed them to maintain a low profile and also saved on the cost of acquiring infrastructure to use for the attacks. They also used custom versions of open-source tools to conduct C2 over proxy.
Who is Volt Typhoon?
Volt Typhoon, also known as Bronze Silhouette, is an espionage-focused China nexus state-sponsored threat actor group. The group has been active since at least 2021. Volt Typhoon is known to use LoLbins and web shells in many of their attacks. The industry has very little information on Volt Typhoon at this time.
IOCs
PolySwarm has multiple samples associated with this activity.
e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642
F4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
You can use the following CLI command to search for all related samples in our portal:
$ polyswarm link list -f VoltTyphoon
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports