[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
  1. Home
  2. Groups
  3. Volt Typhoon

Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]

ID: G1017
Associated Groups: BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, UNC3236, Voltzite, Insidious Taurus
Contributors: Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd; Ai Kimura, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 2.0
Created: 27 July 2023
Last Modified: 21 May 2024
Version Permalink

Associated Group Descriptions

Name Description
BRONZE SILHOUETTE

[4][1]
Vanguard Panda

[1]
DEV-0391

[1]
UNC3236

[1]
Voltzite

[1]
Insidious Taurus

[1]

Campaigns

ID Name First Seen Last Seen References Techniques
C0035 KV Botnet Activity October 2022 [5] January 2024 [6]

Volt Typhoon used KV Botnet Activity to build intermediate communication chains between operators and victims, such as identified access to victims in Guam.[5]

 Acquire Infrastructure: Virtual Private Server, Command and Scripting Interpreter: Unix Shell, Compromise Infrastructure: Network Devices, Encrypted Channel, Event Triggered Execution, File and Directory Discovery, File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Masquerading, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Proc Memory, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery
C0039 Versa Director Zero Day Exploitation June 2024 [7] August 2024 [7]

Versa Director Zero Day Exploitation was conducted by Volt Typhoon between June and August 2024.[7]

 Application Layer Protocol: Web Protocols, Compromise Infrastructure: Network Devices, Develop Capabilities: Malware, Encrypted Channel: Asymmetric Cryptography, Exploit Public-Facing Application, Input Capture, Non-Application Layer Protocol, Server Software Component: Web Shell
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Volt Typhoon has executed net user and quser to enumerate local account information.[1]
.002 Account Discovery: Domain Account

Volt Typhoon has run net group /dom and net group "Domain Admins" /dom in compromised environments for account discovery.[3][4]
Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.[5]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.[7]
Enterprise T1010 Application Window Discovery

Volt Typhoon has collected window title information from compromised systems.[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.[4][1]
Enterprise T1217 Browser Information Discovery

Volt Typhoon has targeted the browsing history of network administrators.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Volt Typhoon has used PowerShell including for remote system discovery.[2][3][1]
.003 Command and Scripting Interpreter: Windows Command Shell

Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.[2][3][4][1]
.004 Command and Scripting Interpreter: Unix Shell

Volt Typhoon has used Brightmetricagent.exe which contains a command- line interface (CLI) library that can leverage command shells including Z Shell (zsh).[1]

KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.[5]
Enterprise T1584 .003 Compromise Infrastructure: Virtual Private Server

Volt Typhoon has compromised Virtual Private Servers (VPS) to proxy C2 traffic.[1]
.004 Compromise Infrastructure: Server

Volt Typhoon has used compromised Paessler Router Traffic Grapher (PRTG) servers from other organizations for C2.[4][1]
.005 Compromise Infrastructure: Botnet

Volt Typhoon Volt Typhoon has used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations.[1]
.008 Compromise Infrastructure: Network Devices

Volt Typhoon has compromised small office and home office (SOHO) network edge devices, many of which were located in the same geographic area as the victim, to proxy network traffic.[2][3]

Versa Director Zero Day Exploitation used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.[7]

KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.[5]
Enterprise T1555 Credentials from Password Stores

Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.[3]
.003 Credentials from Web Browsers

Volt Typhoon has targeted network administrator browser data including browsing history and stored credentials.[1]
Enterprise T1005 Data from Local System

Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used Wevtutil to extract event log information.[3][4][1]
Enterprise T1074 Data Staged

Volt Typhoon has staged collected data in password-protected archives.[2]
.001 Local Data Staging

Volt Typhoon has saved stolen files including the ntds.dit database and the SYSTEM and SECURITY Registry hives locally to the C:\Windows\Temp\ directory.[3][4]
Enterprise T1587 .001 Develop Capabilities: Malware

Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.[7]
.004 Develop Capabilities: Exploits

Volt Typhoon has exploited zero-day vulnerabilities for initial access.[1]
Enterprise T1006 Direct Volume Access

Volt Typhoon has executed the Windows-native vssadmin command to create volume shadow copies.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.[4]
.002 Encrypted Channel: Asymmetric Cryptography

Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.[7]
Enterprise T1546 Event Triggered Execution

KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated.[5]
Enterprise T1190 Exploit Public-Facing Application

Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.[4][1]

Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.[7]
Enterprise T1068 Exploitation for Privilege Escalation

Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.[1]
Enterprise T1133 External Remote Services

Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions.[1]
Enterprise T1083 File and Directory Discovery

Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.[1]

KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.[5]
Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.[5]
Enterprise T1592 Gather Victim Host Information

Volt Typhoon has conducted pre-compromise reconnaissance for victim host information.[1]
Enterprise T1589 Gather Victim Identity Information

Volt Typhoon has gathered victim identify information during pre-compromise reconnaissance. [1]
.002 Email Addresses

Volt Typhoon has targeted the personal emails of key network and IT staff at victim organizations.[1]
Enterprise T1590 Gather Victim Network Information

Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization’s network.[1]
.004 Network Topology

Volt Typhoon has conducted extensive reconnaissance of victim networks including identifying network topologies.[1]
.006 Network Security Appliances

Volt Typhoon has identified target network security measures as part of pre-compromise reconnaissance.[1]
Enterprise T1591 Gather Victim Org Information

Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization.[1]
.004 Identify Roles

Volt Typhoon has identified key network and IT staff members pre-compromise at targeted organizations.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.[5]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.[1]
.004 Indicator Removal: File Deletion

Volt Typhoon has run rd /S to delete their working directories and deleted systeminfo.dat from C:\Users\Public\Documentsfiles.[4][1]

[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.[5]
.007 Indicator Removal: Clear Network Connection History and Configurations

Volt Typhoon has inspected server logs to remove their IPs.[4]
Enterprise T1105 Ingress Tool Transfer

Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.[1]

KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.[5]
Enterprise T1056 .001 Input Capture: Keylogging

Volt Typhoon has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.[1]
Enterprise T1570 Lateral Tool Transfer

Volt Typhoon has copied web shells between servers in targeted environments.[4]
Enterprise T1654 Log Enumeration

Volt Typhoon has used wevtutil.exe and the PowerShell command Get-EventLog security to enumerate Windows logs to search for successful logons.[3][1]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

KV Botnet Activity installation steps include first identifying, then stopping, any process containing [kworker\/0:1], then renaming its initial installation stage to this process name.[5]
.005 Masquerading: Match Legitimate Name or Location

Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.[3][4][1]
.008 Masquerading: Masquerade File Type

Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.[4]
Enterprise T1112 Modify Registry

Volt Typhoon has used netsh to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG).[1]
Enterprise T1046 Network Service Discovery

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for network service discovery.[1]
Enterprise T1095 Non-Application Layer Protocol

Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.[7]

KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.[5]
Enterprise T1571 Non-Standard Port

KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.[5]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.[1]
Enterprise T1588 .002 Obtain Capabilities: Tool

Volt Typhoon has used legitimate network and forensic tools and customized versions of open-source tools for C2.[2][1]
.006 Obtain Capabilities: Vulnerabilities

Volt Typhoon has used publicly available exploit code for initial access.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.[2][1]
.003 OS Credential Dumping: NTDS

Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.[2][3][4][1]
Enterprise T1120 Peripheral Device Discovery

Volt Typhoon has obtained victim's screen dimension and display device information.[1]
Enterprise T1069 Permission Groups Discovery

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for group and user discovery.[1]
.001 Local Groups

Volt Typhoon has run net localgroup administrators in compromised environments to enumerate accounts.[3]
.002 Domain Groups

Volt Typhoon has run net group in compromised environments to discover domain groups.[4]
Enterprise T1057 Process Discovery

Volt Typhoon has enumerated running processes on targeted systems including through the use of Tasklist.[2][4][1]

Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.[5]
Enterprise T1055 .009 Process Injection: Proc Memory

KV Botnet Activity final payload installation includes mounting and binding to the \/proc\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.[5]
Enterprise T1090 Proxy

Volt Typhoon has used compromised devices and customized versions of open source tools such as FRP (Fast Reverse Proxy), Earthworm, and Impacket to proxy network traffic.[2][3][1]
.001 Internal Proxy

Volt Typhoon has used the built-in netsh port proxy command to create proxies on compromised systems to facilitate access.[2][1]
.003 Multi-hop Proxy

Volt Typhoon has used multi-hop proxies for command-and-control infrastructure.[1]
Enterprise T1012 Query Registry

Volt Typhoon has queried the Registry on compromised systems, reg query hklm\software\, for information on installed software including PuTTY.[3][1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Volt Typhoon has moved laterally to the Domain Controller via RDP using a compromised account with domain administrator privileges.[1]
Enterprise T1018 Remote System Discovery

Volt Typhoon has used multiple methods, including Ping, to enumerate systems on compromised networks.[2][4]
Enterprise T1113 Screen Capture

Volt Typhoon has obtained a screenshot of the victim's system using the gdi32.dll and gdiplus.dll libraries.[1]
Enterprise T1596 .005 Search Open Technical Databases: Scan Databases

Volt Typhoon has used FOFA, Shodan, and Censys to search for exposed victim infrastructure.[1]
Enterprise T1593 Search Open Websites/Domains

Volt Typhoon has conducted pre-compromise web searches for victim information.[1]
Enterprise T1594 Search Victim-Owned Websites

Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.[4]

Versa Director Zero Day Exploitation resulted in the deployment of the VersaMem web shell for follow-on activity.[7]
Enterprise T1518 Software Discovery

Volt Typhoon has queried the Registry on compromised systems for information on installed software.[3][1]
.001 Security Software Discovery

KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.[5]
Enterprise T1218 System Binary Proxy Execution

Volt Typhoon has used native tools and processes including living off the land binaries or "LOLBins" to maintain and expand access to the victim networks.[1]
Enterprise T1082 System Information Discovery

Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.[2][3][4][1]

KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.[5]
Enterprise T1614 System Location Discovery

Volt Typhoon has obtained the victim's system current location.[1]
Enterprise T1016 System Network Configuration Discovery

Volt Typhoon has executed multiple commands to enumerate network topology and settings including ipconfig, netsh interface firewall show all, and netsh interface portproxy show all.[3]

KV Botnet Activity gathers victim IP information during initial installation stages.[5]
.001 Internet Connection Discovery

Volt Typhoon has employed Ping to check network connectivity.[1]
Enterprise T1049 System Network Connections Discovery

Volt Typhoon has used netstat -ano on compromised hosts to enumerate network connections.[3][4]

Enterprise T1033 System Owner/User Discovery

Volt Typhoon has used public tools and executed the PowerShell command Get-EventLog security -instanceid 4624 to identify associated user and computer account names.[3][4][1]
Enterprise T1007 System Service Discovery

Volt Typhoon has used net start to list running services.[1]
Enterprise T1124 System Time Discovery

Volt Typhoon has obtained the victim's system timezone.[1]
Enterprise T1552 Unsecured Credentials

Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.[1]
.004 Private Keys

Volt Typhoon has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.[1]
Enterprise T1078 Valid Accounts

Volt Typhoon relies primarily on valid credentials for persistence.[1]
.002 Domain Accounts

Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.[2][4][1]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.[2]
Enterprise T1047 Windows Management Instrumentation

Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.[2][3][4][1]

Software

ID Name References Techniques
S0160 certutil [4][1] Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0106 cmd [1] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S1144 FRP [2][3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: JavaScript, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Network Service Discovery, Non-Application Layer Protocol, Protocol Tunneling, Proxy, Proxy: Multi-hop Proxy, System Network Connections Discovery
S0357 Impacket [2][3][1] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Ccache Files, System Services: Service Execution, Windows Management Instrumentation
S0100 ipconfig [3] System Network Configuration Discovery
S0002 Mimikatz [3][1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [4][1] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108 netsh [2][3][1] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0104 netstat [4][1] System Network Connections Discovery
S0359 Nltest [4][1] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097 Ping [2][1] Remote System Discovery
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0075 Reg [1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0096 Systeminfo [3][4][1] System Information Discovery
S0057 Tasklist [3][4][1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S1154 VersaMem VersaMem was used by Volt Typhoon as part of Versa Director Zero Day Exploitation.[7] Command and Scripting Interpreter, Data Staged: Local Data Staging, Exploitation for Client Execution, Indicator Removal: File Deletion, Input Capture: Credential API Hooking, Network Sniffing, Obfuscated Files or Information: Encrypted/Encoded File, Shared Modules
S0645 Wevtutil [3][1] Data from Local System, Impair Defenses: Disable Windows Event Logging, Indicator Removal: Clear Windows Event Logs

References

  1. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  2. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  3. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  4. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  1. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  2. US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.
  3. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.