Volt Typhoon is an advanced persistent threat (APT) group reportedly affiliated with the People’s Republic of China. Reported as early as 2021, the group primarily targets critical infrastructure sectors in the United States, including communications, manufacturing, utilities, transportation, and education. Their operations are characterized by stealth and a focus on espionage and data theft.
How they got in (Initial Access);
In this instance, Volt Typhoon exploited known vulnerabilities in internet-facing Forinet FortiGuard devices. These were externally facing and provided access into the Guam- based telecommunications companies. Unfortunately, a large portion of these devices had default or incredibly weak credentials on the devices, making it simple for adversaries to gain access.
After the group gained access, it would continue to compromise other devices, and use existing permissions of compromised devices to harvest credentials of legitimate users. They target Domain Controllers in order to gain access to Active Directory and obtain multiple user credentials. Note that this group uses legitimate, real users, who are actual members of the organization, not create new fake accounts.
This group is hesitant to utilize malware and instead prefers hand on keyboard and LOLBins. LOLBins (Living-off-the-land Binaries) are essentially tools and operations that come inherently with the operating system (in this case windows.) The importance of this, is obfuscation. These are legitimate processes within the operating system that are utilized to run the device itself. This makes it difficult to flag as being malicious as it normally operates in this environment. They utilize PowerShell and WMIC (Window Management instrumentation Command-line) to further gather information about the system, its configuration, and architecture.
In order to exfiltrate data, the actors compromised a large amount of home routers and VPN credentials to blend the stolen information in with normal traffic. This would help evade detection and allow for the actor to remain in the system, continuing to send more data as time goes on.
There is something to be said here about geopolitics. Threat Actors like this are incredibly more important in geopolitics. Specifically, this group is targeting critical infrastructure in areas like Guam and in water treatment/power stations across the United States. Unlike other Chinese APTs, this group has a huge focus on operational security (OPSEC) and intelligence gathering. This is consistent with espionage groups who are charged more so with maintaining access and increasing access, which is also consistent with Volt Typhoons choices. They choose to avoid detection, they choose to remain silent and continue to dig in to environments, they choose to utilize real user accounts and attempt to follow their normal access permissions to avoid suspicion.
Volt Typhoon is a sophisticated nation state affiliated cyber threat targeting critical infrastructure with huge potential for national security and geopolitical instability. Their actions should underscore for an even more robust cybersecurity workforce and collaboration between private sector and government agencies to prevent cyber-kinetic events, like the Colonial Pipeline attack.
Creator1 
Leave a comment