Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.^[1]^[2]^[3]

ID: G1017

ⓘ

Associated Groups: BRONZE SILHOUETTE

Contributors: Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd; Ai Kimura, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India

Version: 1.1

Created: 27 July 2023

Last Modified: 28 March 2024

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
BRONZE SILHOUETTE	^[3]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.002	Account Discovery: Domain Account	Volt Typhoon has run `net group /dom` and `net group "Domain Admins" /dom` in compromised environments for account discovery.^[2]^[3]
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.^[3]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Volt Typhoon has used PowerShell including for remote system discovery.^[1]^[2]
		.003	Command and Scripting Interpreter: Windows Command Shell	Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.^[1]^[2]^[3]
Enterprise	T1584	.004	Compromise Infrastructure: Server	Volt Typhoon has used compromised PRTG servers from other organizations for C2.^[3]
		.008	Compromise Infrastructure: Network Devices	Volt Typhoon has compromised small office and home office (SOHO) network edge devices, many of which were located in the same geographic area as the victim, to proxy network traffic.^[1]^[2]
Enterprise	T1555		Credentials from Password Stores	Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.^[2]
Enterprise	T1005		Data from Local System	Volt Typhoon has stolen the Active Directory database from targeted environments and used Wevtutil to extract event log information.^[2]^[3]
Enterprise	T1074		Data Staged	Volt Typhoon has staged collected data in password-protected archives.^[1]
		.001	Local Data Staging	Volt Typhoon has saved stolen files including the ntds.dit database and the `SYSTEM` and `SECURITY` Registry hives locally to the `C:\Windows\Temp\` directory.^[2]^[3]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.^[3]
Enterprise	T1190		Exploit Public-Facing Application	Volt Typhoon gained initial access through exploitation of CVE-2021-40539 in internet-facing ManageEngine ADSelfService Plus servers.^[3]
Enterprise	T1070	.004	Indicator Removal: File Deletion	Volt Typhoon has run `rd /S` to delete their working directories and files.^[3]
		.007	Indicator Removal: Clear Network Connection History and Configurations	Volt Typhoon have inspected server logs to remove their IPs.^[3]
Enterprise	T1570		Lateral Tool Transfer	Volt Typhoon has copied web shells between servers in targeted environments.^[3]
Enterprise	T1654		Log Enumeration	Volt Typhoon has used `wevtutil.exe` and the PowerShell command `Get-EventLog security` to enumerate Windows logs to search for successful logons.^[2]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.^[2]^[3]
		.008	Masquerading: Masquerade File Type	Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.^[3]
Enterprise	T1588	.002	Obtain Capabilities: Tool	Volt Typhoon has used customized versions of open-source tools for C2.^[1]
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.^[1]
		.003	OS Credential Dumping: NTDS	Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.^[1]^[2]^[3]
Enterprise	T1069	.001	Permission Groups Discovery: Local Groups	Volt Typhoon has run `net localgroup administrators` in compromised environments to enumerate accounts.^[2]
		.002	Permission Groups Discovery: Domain Groups	Volt Typhoon has run `net group` in compromised environments to discover domain groups.^[3]
Enterprise	T1057		Process Discovery	Volt Typhoon has enumerated running processes on targeted systems.^[1]^[3]
Enterprise	T1090		Proxy	Volt Typhoon has used compromised devices and customized versions of open source tools such as Fast Reverse Proxy (FRP), Earthworm, and Impacket to proxy network traffic.^[1]^[2]
		.001	Internal Proxy	Volt Typhoon has used the built-in netsh `port proxy` command to create proxies on compromised systems to facilitate access.^[1]
Enterprise	T1012		Query Registry	Volt Typhoon has queried the Registry on compromised systems, `reg query hklm\software\`, for information on installed software.^[2]
Enterprise	T1018		Remote System Discovery	Volt Typhoon has used multiple methods, including Ping, to enumerate systems on compromised networks.^[1]^[3]
Enterprise	T1505	.003	Server Software Component: Web Shell	Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.^[3]
Enterprise	T1518		Software Discovery	Volt Typhoon has queried the Registry on compromised systems for information on installed software.^[2]
Enterprise	T1082		System Information Discovery	Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.^[1]^[2]^[3]
Enterprise	T1016		System Network Configuration Discovery	Volt Typhoon has executed multiple commands to enumerate network topology and settings including `ipconfig`, `netsh interface firewall show all`, and `netsh interface portproxy show all`.^[2]
Enterprise	T1049		System Network Connections Discovery	Volt Typhoon has used `netstat -ano` on compromised hosts to enumerate network connections.^[2]^[3]
Enterprise	T1033		System Owner/User Discovery	Volt Typhoon has executed the PowerShell command `Get-EventLog security -instanceid 4624` to identify associated user and computer account names.^[2]^[3]
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.^[1]^[3]
Enterprise	T1497	.001	Virtualization/Sandbox Evasion: System Checks	Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.^[1]
Enterprise	T1047		Windows Management Instrumentation	Volt Typhoon has leveraged WMIC including for execution and remote system discovery.^[1]^[2]^[3]

Software

ID	Name	References	Techniques
S0160	certutil	^[3]	Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0357	Impacket	^[1]^[2]	Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0100	ipconfig	^[2]	System Network Configuration Discovery
S0002	Mimikatz	^[2]	Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039	Net	^[3]	Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0108	netsh	^[1]^[2]	Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0104	netstat	^[3]	System Network Connections Discovery
S0359	Nltest	^[3]	Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097	Ping	^[1]	Remote System Discovery
S0096	Systeminfo	^[2]^[3]	System Information Discovery
S0057	Tasklist	^[2]^[3]	Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0645	Wevtutil	^[2]	Data from Local System, Impair Defenses: Disable Windows Event Logging, Indicator Removal: Clear Windows Event Logs

References

Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.

Volt Typhoon

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References