Security Agencies Heighten Concerns Over Volt Typhoon's Cyber Operations

A joint advisory from CISA, NSA, FBI, and partner agencies continues to emphasize the importance of understanding cyber-espionage activities of the Volt Typhoon threat group (aka.  Bronze Silhouette, Vanguard Panda), linked to Chinese state-sponsored interests. These hackers have demonstrated remarkable proficiency in infiltrating and maintaining access within critical infrastructure networks, remaining undetected for years. This assessment is based on observed incidents where Volt Typhoon actors have infiltrated IT networks, particularly in sectors such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems. Unlike traditional cyber espionage operations, "U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts," the agencies warn in the advisory.

Volt Typhoon is observed to employ sophisticated living-off-the-land (LOTL) techniques, leveraging stolen accounts and robust operational security to evade detection and ensure long-term persistence. According to U.S. agencies, Volt Typhoon actors had maintained access and a foothold in compromised environments 'for at least five years.' In several intrusions documented by CISA, the threat actors had long dwell times before re-entering the network, with confirmed activity resuming at four and nine months after initial access. Volt Typhoon's strategic approach is characterized by meticulous pre-exploitation reconnaissance tailored to target organizations. These actors meticulously tailor their tactics to their targets, exploiting vulnerabilities in public-facing network appliances and leveraging valid administrator credentials for lateral movement within networks. Volt Typhoon actors focus on obtaining elevated privileges and targeting OT assets, potentially leading to significant disruptions in critical infrastructure operations.

To assist guiding detection engineers in monitoring cyber threat activity orchestrated by Volt Typhoon, CISA recommends defenders pay close attention to detections that monitor behaviors associated with living off the land (LOTL) techniques. Aligned with the growing trends of threat actors, leveraging native Windows binaries and tools enables them to execute payloads, conduct internal reconnaissance, connect to systems remotely, manipulate files, and clear system logs. The threat actors' exploitation of the Active Directory database (NTDS.dit) was highlighted in the first Volt Typhoon advisory released in May 2023 by Microsoft and is further emphasized in CISA's advisory, identifying the threat actors' consistent exfiltration of credentials to ensure they maintain persistence on the compromised network. Furthermore, CISA references collective industry reporting, indicating that "Volt Typhoon actors are silent on the network following credential dumping and perform discovery to learn about the environment, but do not exfiltrate data—is consistent with the U.S. authoring agencies’ observations. This indicates their aim is to achieve and maintain persistence on the network. In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials at regular intervals."Volt Typhoon's targeting of network administrators for credential theft is often carried out during the organization’s business hours to blend in with normal user activity. Furthermore, the use of living off the land (LOTL) techniques, such as PowerShell commands and legitimate network admin tools, should raise red flags for potential intrusion attempts. Based on CISA's red team engagements, the agency warns of "overly broad exceptions for the PsExec tool because administrators regularly use it for their job duties. Malicious actors often leverage the lack of restrictions to move laterally without detection."

DE engineers should also monitor for signs of lateral movement via Remote Desktop Protocol (RDP) sessions and the exploitation of known vulnerabilities in networking appliances. Additionally, any attempts to access or manipulate sensitive data related to OT systems, such as supervisory control and data acquisition (SCADA) systems, should be closely scrutinized for potential malicious activity. Of grave concern is Volt Typhoon's capability to manipulate critical infrastructure systems, including HVAC systems, energy controls, and water treatment plants. Through lateral movement within compromised networks, they aim to escalate privileges and gain access to OT assets, posing significant risks of infrastructure failures. Moreover, their use of a botnet comprising small office/home office (SOHO) devices, known as the KV-botnet, underscores their commitment to stealth and evasion.

The multiple advisories issued by government agencies, along with the profound warnings from leaders like CISA Director Jen Easterly and FBI Director Christopher A. Wray, underscore the critical nature of the threats posed by state-sponsored cyber actors like Volt Typhoon. As Director Wray emphasized in his testimony to the U.S. House Select Committee on January 31, 2024, "I do want the American people to know that we cannot afford to sleep on this danger." These statements serve as a stark reminder of the ongoing cyber risks facing critical infrastructure and the imperative for heightened vigilance and proactive measures to safeguard national security interests.