Consider an exotic electrical storm – powerful lightning bolts strike down crucial digital networks, causing chaos in a nation’s critical infrastructure. A cyber-attack from the China-sponsored hacking group, Volt Typhoon, could make this a reality.
As we navigate through the murky waters of cyber warfare, we’ll reveal how Volt Typhoon exploits vulnerabilities in network devices, leverages living-off-the-land techniques, and crafts custom tools to achieve their objectives. With a deeper understanding of this group’s tactics, we can take steps to bolster our defenses against such attacks and ensure the security of our digital world.
Short Summary
- Volt Typhoon is a China-sponsored hacking group that uses living off the land techniques, stolen credentials, and open source tools to gain access.
- Organizations must take steps to protect against them by implementing strong passwords, two factor authentication and using a password manager.
- Mitigation strategies include behavioral monitoring, account security measures & the deployment of Microsoft Defender solutions.
Understanding Volt Typhoon’s Strategy
Volt Typhoon is a China-sponsored hacking group with a singular focus: disrupt critical communications infrastructure. By targeting organizations responsible for maintaining critical infrastructure, Volt Typhoon poses a significant threat to national security agencies. Their ultimate goal is to exploit future crises, leveraging their capabilities to sow chaos and confusion in affected regions, particularly the Asia region, during escalating tensions.
To achieve their objectives, Volt Typhoon employs a combination of living off the land techniques, stolen credentials, and custom versions of open-source tools. By blending in with normal network activity and utilizing legitimate tools, Volt Typhoon can slip past security measures and maintain access to compromised systems.
Let’s take a closer look at some of the tactics they use to gain initial access and maintain persistence.
Targeting Fortinet Devices
Fortinet devices, which are integral to many organizations’ cybersecurity infrastructure, have been identified as prime targets for Volt Typhoon. These devices have numerous vulnerabilities, ranging from unauthenticated file path traversal (CVE-2022-39952) to high-severity security vulnerabilities (CVE-2022-41328) that could enable threat actors to execute unauthorized code or commands.
By exploiting these vulnerabilities, Volt Typhoon gains a foothold in targeted organizations, allowing them to further infiltrate networks and steal sensitive data. The fact that even suspected Chinese spies have been reported to exploit critical Fortinet bugs highlights the severity of these vulnerabilities and the need for organizations to address them promptly.
Stolen Credentials and Authentication
Stolen credentials are the lifeblood of Volt Typhoon’s operations. By unlawfully obtaining usernames, passwords, and other authentication factors, the group gains access to internet websites and apps, often bypassing security measures with ease. The techniques used to obtain these credentials include phishing, malware injection, brute-force attacks, and social engineering, among others.
To safeguard against stolen credentials, organizations must implement strong passwords, enable two-factor authentication, and remain vigilant against phishing attempts. Additionally, using a password manager can help securely store passwords, further reducing the risk of unauthorized access.
Compromised SOHO Network Edge Devices
Small office/home office (SOHO) network edge devices are another prime target for Volt Typhoon. These devices, which include routers, firewalls, and VPN hardware, are vulnerable to outdated firmware, weak passwords, and previously unknown security vulnerabilities. By compromising these devices, the group can route traffic through them, blending into normal network activity and remaining undetected.
The National Security Agency (NSA) has issued an advisory specifying network edge devices from various manufacturers as potentially vulnerable. To protect against Volt Typhoon’s exploits, device owners should ensure that management interfaces are not accessible from the public internet and keep their devices updated with the latest security patches.
Living-off-the-Land Techniques
Volt Typhoon’s use of living-off-the-land techniques is a key aspect of their stealthy approach to cyber warfare. These techniques involve leveraging existing tools and applications on a system to execute malicious activities. By using legitimate tools, the group is able to bypass security measures and maintain a low profile on compromised networks.
One particularly insidious example of Volt Typhoon’s living-off-the-land tactics is their use of Ntdsutil.exe to create installation media containing usernames and password hashes. This tool, typically employed by system administrators for legitimate purposes, is repurposed by the group to gain access to sensitive data and infiltrate target systems.
Credential Harvesting
Credential harvesting is a key component of Volt Typhoon’s modus operandi. This nefarious process involves the theft of personal or financial data, such as usernames and passwords, which are then used to access internet websites and apps. By extracting this sensitive information, the group can gain a foothold in targeted organizations and maintain access to their systems.
Volt Typhoon uses Ntdsutil.exe, a command-line tool, to create installation media out of domain controllers. It can be done both remotely and locally. Usernames and password hashes are stored on different media. These can be cracked offline, which gives threat actors access to valid domain account credentials. With these credentials, they can gain access to a compromised organization in case of loss of access.
Network Discovery and Reconnaissance
Once they have infiltrated a network, Volt Typhoon employs network discovery and reconnaissance techniques to identify potential attack vectors and vulnerabilities in the target system. These techniques include passive methods such as sniffing, scanning, and host discovery, as well as active techniques like port scanning.
By mapping internal networks and computer resources within an organization, Volt Typhoon is able to gather valuable information about the target network or system. This intelligence enables them to fine-tune their attack strategies and exploit any weaknesses they discover.
Data Collection and Exfiltration
Data collection and exfiltration are the endgame for Volt Typhoon’s operations. By extracting sensitive information from compromised networks, such as passwords, credit card numbers, and other confidential data, the group can cause significant harm to targeted organizations and individuals.
To prevent data collection and exfiltration, organizations must implement robust authentication procedures, monitor user activity, and utilize security solutions such as Microsoft Defender. By taking these proactive measures, organizations can better protect themselves against the ever-present threat of Volt Typhoon and other cyber adversaries.
Command and Control Infrastructure
The command and control infrastructure used by Volt Typhoon is a critical component of their operations. This system allows the group to manage and control compromised systems, providing access to the affected system, facilitating data collection, and enabling the creation of proxies.
Volt Typhoon employs PowerShell and WMIC to discover system information and detect other systems on the compromised network. By collecting this data, they can further infiltrate networks and steal sensitive information, all while remaining undetected by conventional security measures.
Custom Tool Usage
In addition to leveraging legitimate tools and applications, Volt Typhoon also develops and employs custom tools to achieve their objectives. These custom tools, such as custom versions of Impacket and Fast Reverse Proxy, are used to establish command and control channels over proxy, further obfuscating their activities.
By using these custom tools, Volt Typhoon can maintain a strong presence on compromised networks, even as security professionals work to detect and neutralize their threat. This highlights the importance of understanding the tactics, techniques, and procedures used by groups like Volt Typhoon and the need for advanced security measures to counter their attacks.
Proxy Creation and Access
Proxies play a critical role in Volt Typhoon’s operations by providing an additional layer of obfuscation and security. By creating and accessing proxies, the group can route traffic through these servers, making it more difficult for security professionals to trace their activities back to their point of origin.
The use of proxies not only complicates efforts to track and counter Volt Typhoon’s activities, but also highlights the need for advanced security solutions and threat intelligence to keep pace with the ever-evolving tactics employed by cyber adversaries.
Mitigation and Defense Strategies
Protecting against the threat posed by Volt Typhoon requires a deep understanding of their tactics and the implementation of effective mitigation and defense strategies. By studying the group’s methods and learning from their attacks, organizations can better prepare themselves to counter this formidable adversary.
Some of the key strategies for defending against Volt Typhoon include behavioral monitoring, account security measures, and the deployment of Microsoft Defender solutions. Let’s explore these strategies in greater detail.
Behavioral Monitoring
Behavioral monitoring is a critical component of any cybersecurity strategy, enabling organizations to detect and address threats in real-time. By observing end-user, device, and network behavior patterns, security professionals can establish a baseline of normal activity and identify any deviations that may indicate malicious activity.
Implementing effective behavioral monitoring can be a resource-intensive process, but it is essential in detecting and neutralizing threats posed by groups like Volt Typhoon. By closely monitoring user behavior, organizations can quickly identify and respond to potential security breaches, minimizing the damage caused by cyberattacks.
Account Security Measures
Securing user accounts is another critical aspect of defending against Volt Typhoon’s attacks. By enforcing strong passwords, implementing two-factor authentication, and regularly monitoring account activity, organizations can reduce the risk of unauthorized access and compromise.
Additionally, using unique passwords for each login, employing recovery codes for resetting credentials, and utilizing session management techniques can further bolster account security. By taking these proactive measures, organizations can better protect themselves against the ever-present threat of Volt Typhoon and other cyber adversaries.
Microsoft Defender Solutions
Microsoft Defender offers a suite of security products and services designed to help protect against advanced threats like those posed by Volt Typhoon. By deploying solutions such as Microsoft Defender for Endpoint, Microsoft Defender for Business, and Microsoft 365 Defender, organizations can enjoy comprehensive threat prevention, detection, and response capabilities.
As the threat landscape continues to evolve, so too must the tools and strategies we employ to protect our digital assets. By leveraging advanced security solutions like Microsoft Defender, organizations can stay one step ahead of cyber adversaries and ensure the ongoing security of their networks and systems.
Summary
In our journey through the shadowy world of Volt Typhoon, we’ve uncovered the group’s tactics, techniques, and procedures, revealing a formidable adversary that poses a significant threat to our digital infrastructure. By understanding the group’s methods, we can take steps to bolster our defenses and protect against such attacks.
As we navigate the ever-evolving landscape of cyber warfare, it’s essential to remain vigilant and proactive in our efforts to secure our digital world. By implementing robust security measures, monitoring user behavior, and leveraging advanced security solutions like Microsoft Defender, we can continue to stay one step ahead of cyber adversaries and ensure the ongoing security of our networks and systems.
