Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3]

ID: G1017
Associated Groups: BRONZE SILHOUETTE
Contributors: Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd; Ai Kimura, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 27 July 2023
Last Modified: 03 October 2023

Associated Group Descriptions

Name Description
BRONZE SILHOUETTE

[3]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Volt Typhoon has run net group /dom and net group "Domain Admins" /dom in compromised environments for account discovery.[2][3]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Volt Typhoon has used PowerShell including for remote system discovery.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.[1][2][3]

Enterprise T1584 .004 Compromise Infrastructure: Server

Volt Typhoon has used compromised PRTG servers from other organizations for C2.[3]

.005 Compromise Infrastructure: Botnet

Volt Typhoon has routed traffic through compromised small office and home office (SOHO) network equipment, many of which were located in the same geographic area as the victim.[1][2]

Enterprise T1555 Credentials from Password Stores

Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.[2]

Enterprise T1005 Data from Local System

Volt Typhoon has stolen the Active Directory database from targeted environments and used Wevtutil to extract event log information.[2][3]

Enterprise T1074 Data Staged

Volt Typhoon has staged collected data in password-protected archives.[1]

.001 Local Data Staging

Volt Typhoon has saved stolen files including the ntds.dit database and the SYSTEM and SECURITY Registry hives locally to the C:\Windows\Temp\ directory.[2][3]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.[3]

Enterprise T1190 Exploit Public-Facing Application

Volt Typhoon gained initial access through exploitation of CVE-2021-40539 in internet-facing ManageEngine ADSelfService Plus servers.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

Volt Typhoon has run rd /S to delete their working directories and files.[3]

.007 Indicator Removal: Clear Network Connection History and Configurations

Volt Typhoon have inspected server logs to remove their IPs.[3]

Enterprise T1570 Lateral Tool Transfer

Volt Typhoon has copied web shells between servers in targeted environments.[3]

Enterprise T1654 Log Enumeration

Volt Typhoon has used wevtutil.exe and the PowerShell command Get-EventLog security to enumerate Windows logs to search for successful logons.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.[2][3]

.008 Masquerading: Masquerade File Type

Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.[3]

Enterprise T1588 .002 Obtain Capabilities: Tool

Volt Typhoon has used customized versions of open-source tools for C2.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.[1]

.003 OS Credential Dumping: NTDS

Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.[1][2][3]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Volt Typhoon has run net localgroup administrators in compromised environments to enumerate accounts.[2]

.002 Permission Groups Discovery: Domain Groups

Volt Typhoon has run net group in compromised environments to discover domain groups.[3]

Enterprise T1057 Process Discovery

Volt Typhoon has enumerated running processes on targeted systems.[1][3]

Enterprise T1090 Proxy

Volt Typhoon has used compromised devices and customized versions of open source tools such as Fast Reverse Proxy (FRP), Earthworm, and Impacket to proxy network traffic.[1][2]

.001 Internal Proxy

Volt Typhoon has used the built-in netsh port proxy command to create proxies on compromised systems to facilitate access.[1]

Enterprise T1012 Query Registry

Volt Typhoon has queried the Registry on compromised systems, reg query hklm\software\, for information on installed software.[2]

Enterprise T1018 Remote System Discovery

Volt Typhoon has used multiple methods, including Ping, to enumerate systems on compromised networks.[1][3]

Enterprise T1505 .003 Server Software Component: Web Shell

Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.[3]

Enterprise T1518 Software Discovery

Volt Typhoon has queried the Registry on compromised systems for information on installed software.[2]

Enterprise T1082 System Information Discovery

Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.[1][2][3]

Enterprise T1016 System Network Configuration Discovery

Volt Typhoon has executed multiple commands to enumerate network topology and settings including ipconfig, netsh interface firewall show all, and netsh interface portproxy show all.[2]

Enterprise T1049 System Network Connections Discovery

Volt Typhoon has used netstat -ano on compromised hosts to enumerate network connections.[2][3]

Enterprise T1033 System Owner/User Discovery

Volt Typhoon has executed the PowerShell command Get-EventLog security -instanceid 4624 to identify associated user and computer account names.[2][3]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.[1][3]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.[1]

Enterprise T1047 Windows Management Instrumentation

Volt Typhoon has leveraged WMIC including for execution and remote system discovery.[1][2][3]

Software

ID Name References Techniques
S0160 certutil [3] Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0357 Impacket [1][2] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0100 ipconfig [2] System Network Configuration Discovery
S0002 Mimikatz [2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [3] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108 netsh [1][2] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0104 netstat [3] System Network Connections Discovery
S0359 Nltest [3] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097 Ping [1] Remote System Discovery
S0096 Systeminfo [2][3] System Information Discovery
S0057 Tasklist [2][3] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0645 Wevtutil [2] Data from Local System, Impair Defenses: Disable Windows Event Logging, Indicator Removal: Clear Windows Event Logs

References