Global security partners issue cybersecurity advisory on state-sponsored Chinese hacker group Volt Typhoon

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), in collaboration with several U.S. and international government agencies, have released a joint cybersecurity advisory, which focuses on the malicious activities carried out by a state-sponsored cyber hacker from the People’s Republic of China (PRC) known as Volt Typhoon. The advisory emphasizes the need for urgent actions to protect critical infrastructure from hacking compromises and the maintenance of persistent access.

The advisory highlighted that the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. CISA and its U.S. government partners have confirmed that this group of PRC state-sponsored cyber actors has compromised entities across multiple critical infrastructure sectors in cyberspace, including communications, energy, transportation, and water and wastewater, in the U.S. and its territories. The Volt Typhoon hacker group is also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus.

Jointly issued by the CISA, NSA, FBI, Department of Energy (DOE), Environmental Protection Agency (EPA), Transportation Security Administration (TSA), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE), U.K. National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ), the latest advisory said that the data and information CISA and its U.S. government partners have gathered to suggest the PRC is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the U.S.

Volt Typhoon hackers rarely use malware for post-compromise execution. Instead, once they gain access to target environments, they use hands-on-keyboard activity via the command line and other native tools and processes on systems (often referred to as ‘LOLBins), known as LOTL, to maintain and expand access to the victim networks. These hackers have been observed using commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery. 

The Volt Typhoon group relies on valid accounts and leverages strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.

The advisory outlined that Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network architecture and operational protocols. It typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances and then connects to the victim’s network via VPN for follow-on activities. It also aims to obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities in the operating system or network services. 

The agencies also disclosed that Volt Typhoon uses valid administrator credentials to move laterally to the domain controller (DC) and other devices through remote access services such as Remote Desktop Protocol (RDP). Volt Typhoon conducts discovery in the victim’s network, leveraging LOTL binaries for stealth. and achieves full domain compromise by extracting the Active Directory database (NTDS[dot]dit) from the DC. Volt Typhoon likely uses offline password-cracking techniques to decipher these hashes and uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets.

This is the second cybersecurity advisory issued by the U.S. and international cybersecurity partners highlighting malicious activity executed by the Volt Typhoon hacker group. The May 2023 advisory identified that agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and believe the hacker could apply the same techniques against these and other sectors worldwide.

“The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” Jen Easterly, CISA director, said in a media statement. “Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders.” 

Easterly highlighted that “we are at a critical juncture for our national security. We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”

The advisory identified that Volt Typhoon hackers conduct extensive pre-compromise reconnaissance to learn about the target organization, its network, and its staff. This includes web searches, including victim-owned sites—for victim host, identity, and network information, especially for information on key network and IT administrators. According to industry reports, Volt Typhoon hackers use FOFA, Shodan, and Censys for querying or searching for exposed infrastructure. 

In some instances, the U.S. authoring agencies have observed Volt Typhoon actors targeting the personal emails of key network and IT staff post-compromise.

To obtain initial access, Volt Typhoon hackers commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco. They often use publicly available exploit code for known vulnerabilities but are also adept at discovering and exploiting zero-day vulnerabilities. 

The advisory pointed out that in a confirmed compromise, Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. There is evidence of a buffer overflow attack identified within the Secure Sockets Layer (SSL)-VPN crash logs. 

Once initial access is achieved, Volt Typhoon hackers typically shift to establishing persistent access. They often use VPN sessions to securely connect to victim environments, enabling discrete follow-on intrusion activities. This tactic provides a stable foothold in the network, as well as allows them to blend in with regular traffic, reducing their chances of detection.

According to industry reporting, some ‘commands appear to be exploratory or experimental, as the operators [i.e., malicious actors] adjust and repeat them multiple times.’

The advisory also detailed that the Volt Typhoon has strong operational security. “Their actors primarily use LOTL for defense evasion, which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities.”

The agencies also call for review access logs for communication paths between IT and OT networks, looking for anomalous accesses or protocols, and to measure the baseline of normal operations and network traffic for the industrial control system (ICS), and assessing traffic anomalies for malicious activity. 

They also suggest configuring intrusion detection systems (IDS) to create alarms for any ICS network traffic outside normal operations; tracking and monitoring audit trails on critical areas of ICS; and setting up security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts. 

Commenting on the latest guidance, James McQuiggan, security awareness advocate at KnowBe4, wrote in an emailed statement that organizations must recognize the techniques these threat actors use and deploy advanced detection technologies to identify and prevent these sophisticated threats that can evade conventional defenses. “Moreover, organizations should invest in secure-by-design principles and practices to bolster their network’s resilience against state-sponsored cyber threats.”

“Collaboration between government agencies and private entities is also crucial for sharing intelligence, threat indicators, and defensive strategies to enhance the resilience of critical systems,” McQuiggan added. “The international community must work toward establishing and enforcing norms and agreements that discourage state-sponsored cyber activities targeting civilian infrastructure. The potential for real-world harm stresses the importance of cybersecurity as a national security imperative, requiring a sustained and collective approach to counter persistent cyber threats.”

In addition to the joint cybersecurity advisory, the agencies also published a complementary Joint Guidance to help organizations hunt for and detect the sophisticated types of techniques used by actors such as the Volt Typhoon, known as ‘living off the land.’ In recent years, the U.S. has seen a strategic shift in PRC cyber threat activity from a focus on espionage to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure. 

By using ‘living off the land’ techniques, PRC cyber hackers blend in with normal system and network activities, avoid identification by network defenses, and limit the amount of activity that is captured in common logging configurations.

The authoring agencies recommend organizations implement the mitigations to improve their cybersecurity posture based on Volt Typhoon activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. 

Additionally, CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. 

Recently, the U.S. Select Committee on the Chinese Communist Party (CCP) conducted a hearing to address the CCP’s threat to the American homeland. The objective of this move is to increase awareness and emphasize the risks associated with nation-state hackers who possess the ability to inflict significant damage and real-world harm on Americans. These actors achieve this by launching destructive cyber attacks that specifically target U.S. critical infrastructure and supply chains.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.