Volt Typhoon 2024 Update

Overview

Volt Typhoon, identified as a state-sponsored cyber threat group by various cybersecurity organizations, has been actively targeting U.S. critical infrastructure with a focus on espionage, information gathering, and potentially disruptive activities against critical communications infrastructure. This group, attributed to the People's Republic of China, has been operational since at least mid-2021, engaging in sophisticated cyber-espionage campaigns against a wide array of sectors including communications, manufacturing, utility, transportation, construction, maritime, government, IT, and education. The threat actor employs stealthy tactics, heavily relying on living-off-the-land (LOTL) techniques and hands-on-keyboard activity to maintain long-term access without detection​​​​.

Recent Activities

Recent advisories and investigations reveal Volt Typhoon's continuous efforts to pre-position themselves within IT networks using LOTL techniques for disruptive or destructive cyber activities in the event of major crises or conflicts​​. Their operations have demonstrated capabilities in credential theft, lateral movement, and the use of custom malware tools for espionage, indicating a high level of sophistication and strategic targeting​​. Notably, their activities have extended beyond the U.S., with significant actions taken against their infrastructure, including botnet disruptions aimed at concealing hacking operations​​.

A concerning development in 2024 involves the compromise of 30% of Cisco RV320/325 devices within 37 days, highlighting their continued exploitation of vulnerabilities in network devices​​. This activity suggests an extensive campaign leveraging end-of-life devices to facilitate data exfiltration and unauthorized network access.

Indicators of Compromise (IoCs)

• IP Addresses:
  • 104.161.54[.]203
  • 109.166.39[.]139
  • 23.227.198[.]247
• CVEs:
  • CVE-2021-27860
  • CVE-2021-40539
  • CVE-2023-27350
• Hashes:
  • ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
  • d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
  • d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
  • e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95​​

Security Recommendations

Organizations are urged to take proactive measures to mitigate the threat posed by Volt Typhoon, including:

• Regular updates and patching of software and devices to address known vulnerabilities.
• Employee training on cybersecurity awareness, especially regarding spear-phishing and suspicious activities.
• Implementation of Multi-factor Authentication (MFA) to add an additional security layer.
• Network segmentation to prevent lateral movement in case of a breach.
• Advanced threat detection solutions employing AI and machine learning for real-time threat identification.
• Regular backups of critical data, stored securely and isolated from primary networks.
• A well-defined incident response plan, familiar to all employees.
• Limiting privileged access based on the principle of least privilege and regularly reviewing access permissions​​.

Organizations are also encouraged to identify and upgrade vulnerable devices, especially those reaching end-of-life, to prevent exploitation by threat actors like Volt Typhoon​​.

Conclusion

The threat landscape continues to evolve with actors like Volt Typhoon demonstrating both the capability and intent to conduct sophisticated cyber-espionage and potentially disruptive operations. Awareness, preparedness, and proactive defense measures remain crucial in safeguarding against such advanced persistent threats.

References

Here is a list of reference websites used in the creation of the Security Advisory Report on Volt Typhoon:

1. CISA (Cybersecurity & Infrastructure Security Agency): Provided a joint advisory on Volt Typhoon's activities, in collaboration with the NSA and FBI, highlighting their targeting of U.S. critical infrastructure using living-off-the-land techniques.
   • CISA Advisory on Volt Typhoon​​
2. Unit 42 (Palo Alto Networks): Shared technical details on specific attacks and tactics used by Volt Typhoon, including the use of netsh PortProxy commands and WMIC for information gathering.
   • Unit 42 Threat Brief on Volt Typhoon​​
3. Microsoft Security Blog: Discussed Volt Typhoon's stealthy activities targeting critical infrastructure in the United States, emphasizing the threat actor's focus on post-compromise credential access and network discovery.
   • Microsoft on Volt Typhoon's Activities​​
4. SOCRadar® Cyber Intelligence Inc.: Profiled Volt Typhoon's espionage campaigns, their impact on critical infrastructure, and U.S. government actions against this threat actor.
   • SOCRadar's APT Profile: Volt Typhoon​​
5. SecurityScorecard: Highlighted Volt Typhoon's compromise of Cisco RV320/325 devices, demonstrating the group's capability to exploit vulnerabilities in network devices.
   • SecurityScorecard Research on Volt Typhoon​​

These sources provide comprehensive insights into Volt Typhoon's tactics, techniques, and procedures (TTPs), as well as actionable intelligence for organizations seeking to defend against this sophisticated threat acto