1. Home
  2. Groups
  3. Volt Typhoon

Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]

ID: G1017
Associated Groups: BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, UNC3236, Voltzite, Insidious Taurus
Contributors: Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd; Ai Kimura, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 2.0
Created: 27 July 2023
Last Modified: 21 May 2024

Associated Group Descriptions

Name Description
BRONZE SILHOUETTE

[4][1]
Vanguard Panda

[1]
DEV-0391

[1]
UNC3236

[1]
Voltzite

[1]
Insidious Taurus

[1]

Campaigns

ID Name First Seen Last Seen References Techniques
C0035 KV Botnet Activity October 2022 [5] January 2024 [6]

Volt Typhoon used KV Botnet Activity to build intermediate communication chains between operators and victims, such as identified access to victims in Guam.[5]

 事件触发执行, 伪装: Masquerade Task or Service, 伪装, 加密通道, 命令与脚本解释器: Unix Shell, 基础设施妥协: Network Devices, 妨碍防御: Disable or Modify Tools, 文件和目录发现, 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现, 获取基础设施: Virtual Private Server, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程注入: Proc Memory, 非应用层协议, 非标准端口
C0039 Versa Director Zero Day Exploitation June 2024 [7] August 2024 [7]

Versa Director Zero Day Exploitation was conducted by Volt Typhoon between June and August 2024.[7]

 利用公开应用程序漏洞, 加密通道: Asymmetric Cryptography, 基础设施妥协: Network Devices, 应用层协议: Web Protocols, 开发能力: Malware, 服务器软件组件: Web Shell, 输入捕获, 非应用层协议
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.[2][3][4][1]
Enterprise T1546 事件触发执行

KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated.[5]
Enterprise T1555 从密码存储中获取凭证

Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.[3]
.003 Credentials from Web Browsers

Volt Typhoon has targeted network administrator browser data including browsing history and stored credentials.[1]
Enterprise T1005 从本地系统获取数据

Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used Wevtutil to extract event log information.[3][4][1]
Enterprise T1090 代理

Volt Typhoon has used compromised devices and customized versions of open source tools such as FRP (Fast Reverse Proxy), Earthworm, and Impacket to proxy network traffic.[2][3][1]
.001 Internal Proxy

Volt Typhoon has used the built-in netsh port proxy command to create proxies on compromised systems to facilitate access.[2][1]
.003 Multi-hop Proxy

Volt Typhoon has used multi-hop proxies for command-and-control infrastructure.[1]
Enterprise T1036 .004 伪装: Masquerade Task or Service

KV Botnet Activity installation steps include first identifying, then stopping, any process containing [kworker\/0:1], then renaming its initial installation stage to this process name.[5]
.005 伪装: Match Legitimate Name or Location

Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.[3][4][1]
.008 伪装: Masquerade File Type

Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.[4]
Enterprise T1112 修改注册表

Volt Typhoon has used netsh to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG).[1]
Enterprise T1190 利用公开应用程序漏洞

Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.[4][1]

Versa Director Zero Day Exploitation involved exploitation of a vulnerability in Versa Director servers, since identified as CVE-2024-39717, for initial access and code execution.[7]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.[4]
.002 加密通道: Asymmetric Cryptography

Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.[7]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Volt Typhoon has used PowerShell including for remote system discovery.[2][3][1]
.003 命令与脚本解释器: Windows Command Shell

Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.[2][3][4][1]
.004 命令与脚本解释器: Unix Shell

Volt Typhoon has used Brightmetricagent.exe which contains a command- line interface (CLI) library that can leverage command shells including Z Shell (zsh).[1]

KV Botnet Activity utilizes multiple Bash scripts during botnet installation stages, and the final botnet payload allows for running commands in the Bash shell.[5]
Enterprise T1584 .003 基础设施妥协: Virtual Private Server

Volt Typhoon has compromised Virtual Private Servers (VPS) to proxy C2 traffic.[1]
.004 基础设施妥协: Server

Volt Typhoon has used compromised Paessler Router Traffic Grapher (PRTG) servers from other organizations for C2.[4][1]
.005 基础设施妥协: Botnet

Volt Typhoon Volt Typhoon has used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations.[1]
.008 基础设施妥协: Network Devices

Volt Typhoon has compromised small office and home office (SOHO) network edge devices, many of which were located in the same geographic area as the victim, to proxy network traffic.[2][3]

Versa Director Zero Day Exploitation used compromised small office/home office (SOHO) devices to interact with vulnerable Versa Director servers.[7]

KV Botnet Activity focuses on compromise of small office-home office (SOHO) network devices to build the subsequent botnet.[5]
Enterprise T1120 外围设备发现

Volt Typhoon has obtained victim's screen dimension and display device information.[1]
Enterprise T1133 外部远程服务

Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.[5]
Enterprise T1113 屏幕捕获

Volt Typhoon has obtained a screenshot of the victim's system using the gdi32.dll and gdiplus.dll libraries.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.[7]
Enterprise T1010 应用窗口发现

Volt Typhoon has collected window title information from compromised systems.[1]
Enterprise T1587 .001 开发能力: Malware

Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.[7]
.004 开发能力: Exploits

Volt Typhoon has exploited zero-day vulnerabilities for initial access.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.[4][1]
Enterprise T1594 搜索受害者拥有的网站

Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.[1]
Enterprise T1596 .005 搜索开放技术数据库: Scan Databases

Volt Typhoon has used FOFA, Shodan, and Censys to search for exposed victim infrastructure.[1]
Enterprise T1593 搜索开放网站/域

Volt Typhoon has conducted pre-compromise web searches for victim information.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.[2][1]
.003 操作系统凭证转储: NTDS

Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.[2][3][4][1]
Enterprise T1592 收集受害者主机信息

Volt Typhoon has conducted pre-compromise reconnaissance for victim host information.[1]
Enterprise T1591 收集受害者组织信息

Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization.[1]
.004 Identify Roles

Volt Typhoon has identified key network and IT staff members pre-compromise at targeted organizations.[1]
Enterprise T1590 收集受害者网络信息

Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization’s network.[1]
.004 Network Topology

Volt Typhoon has conducted extensive reconnaissance of victim networks including identifying network topologies.[1]
.006 Network Security Appliances

Volt Typhoon has identified target network security measures as part of pre-compromise reconnaissance.[1]
Enterprise T1589 收集受害者身份信息

Volt Typhoon has gathered victim identify information during pre-compromise reconnaissance. [1]
.002 Email Addresses

Volt Typhoon has targeted the personal emails of key network and IT staff at victim organizations.[1]
Enterprise T1074 数据分段

Volt Typhoon has staged collected data in password-protected archives.[2]
.001 Local Data Staging

Volt Typhoon has saved stolen files including the ntds.dit database and the SYSTEM and SECURITY Registry hives locally to the C:\Windows\Temp\ directory.[3][4]
Enterprise T1083 文件和目录发现

Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.[1]

KV Botnet Activity gathers a list of filenames from the following locations during execution of the final botnet stage: \/usr\/sbin\/, \/usr\/bin\/, \/sbin\/, \/pfrm2.0\/bin\/, \/usr\/local\/bin\/.[5]
Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.[5]
Enterprise T1654 日志枚举

Volt Typhoon has used wevtutil.exe and the PowerShell command Get-EventLog security to enumerate Windows logs to search for successful logons.[3][1]
Enterprise T1078 有效账户

Volt Typhoon relies primarily on valid credentials for persistence.[1]
.002 Domain Accounts

Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.[2][4][1]
Enterprise T1505 .003 服务器软件组件: Web Shell

Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.[4]

Versa Director Zero Day Exploitation resulted in the deployment of the VersaMem web shell for follow-on activity.[7]
Enterprise T1552 未加密凭证

Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.[1]
.004 Private Keys

Volt Typhoon has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.[1]
Enterprise T1068 权限提升漏洞利用

Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.[1]
Enterprise T1069 权限组发现

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for group and user discovery.[1]
.001 Local Groups

Volt Typhoon has run net localgroup administrators in compromised environments to enumerate accounts.[3]
.002 Domain Groups

Volt Typhoon has run net group in compromised environments to discover domain groups.[4]
Enterprise T1012 查询注册表

Volt Typhoon has queried the Registry on compromised systems, reg query hklm\software\, for information on installed software including PuTTY.[3][1]
Enterprise T1570 横向工具传输

Volt Typhoon has copied web shells between servers in targeted environments.[4]
Enterprise T1217 浏览器信息发现

Volt Typhoon has targeted the browsing history of network administrators.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.[1]
Enterprise T1006 直接卷访问

Volt Typhoon has executed the Windows-native vssadmin command to create volume shadow copies.[1]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.[1]
.004 移除指标: File Deletion

Volt Typhoon has run rd /S to delete their working directories and deleted systeminfo.dat from C:\Users\Public\Documentsfiles.[4][1]

[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) removes on-disk copies of tools and other artifacts after it the primary botnet payload has been loaded into memory on the victim device.[5]
.007 移除指标: Clear Network Connection History and Configurations

Volt Typhoon has inspected server logs to remove their IPs.[4]
Enterprise T1218 系统二进制代理执行

Volt Typhoon has used native tools and processes including living off the land binaries or "LOLBins" to maintain and expand access to the victim networks.[1]
Enterprise T1614 系统位置发现

Volt Typhoon has obtained the victim's system current location.[1]
Enterprise T1082 系统信息发现

Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.[2][3][4][1]

KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.[5]
Enterprise T1033 系统所有者/用户发现

Volt Typhoon has used public tools and executed the PowerShell command Get-EventLog security -instanceid 4624 to identify associated user and computer account names.[3][4][1]
Enterprise T1124 系统时间发现

Volt Typhoon has obtained the victim's system timezone.[1]
Enterprise T1007 系统服务发现

Volt Typhoon has used net start to list running services.[1]
Enterprise T1049 系统网络连接发现

Volt Typhoon has used netstat -ano on compromised hosts to enumerate network connections.[3][4]

Enterprise T1016 系统网络配置发现

Volt Typhoon has executed multiple commands to enumerate network topology and settings including ipconfig, netsh interface firewall show all, and netsh interface portproxy show all.[3]

KV Botnet Activity gathers victim IP information during initial installation stages.[5]
.001 Internet Connection Discovery

Volt Typhoon has employed Ping to check network connectivity.[1]
Enterprise T1046 网络服务发现

Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for network service discovery.[1]
Enterprise T1583 .003 获取基础设施: Virtual Private Server

KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.[5]
Enterprise T1588 .002 获取能力: Tool

Volt Typhoon has used legitimate network and forensic tools and customized versions of open-source tools for C2.[2][1]
.006 获取能力: Vulnerabilities

Volt Typhoon has used publicly available exploit code for initial access.[1]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.[2]
Enterprise T1087 .001 账号发现: Local Account

Volt Typhoon has executed net user and quser to enumerate local account information.[1]
.002 账号发现: Domain Account

Volt Typhoon has run net group /dom and net group "Domain Admins" /dom in compromised environments for account discovery.[3][4]
Enterprise T1518 软件发现

Volt Typhoon has queried the Registry on compromised systems for information on installed software.[3][1]
.001 Security Software Discovery

KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.[5]
Enterprise T1105 输入工具传输

Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.[1]

KV Botnet Activity included the use of scripts to download additional payloads when compromising network nodes.[5]
Enterprise T1056 .001 输入捕获: Keylogging

Volt Typhoon has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.[1]
Enterprise T1057 进程发现

Volt Typhoon has enumerated running processes on targeted systems including through the use of Tasklist.[2][4][1]

Scripts associated with KV Botnet Activity initial deployment can identify processes related to security tools and other botnet families for follow-on disabling during installation.[5]
Enterprise T1055 .009 进程注入: Proc Memory

KV Botnet Activity final payload installation includes mounting and binding to the \/proc\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.[5]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Volt Typhoon has moved laterally to the Domain Controller via RDP using a compromised account with domain administrator privileges.[1]
Enterprise T1018 远程系统发现

Volt Typhoon has used multiple methods, including Ping, to enumerate systems on compromised networks.[2][4]
Enterprise T1095 非应用层协议

Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.[7]

KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.[5]
Enterprise T1571 非标准端口

KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.[5]

Software

ID Name References Techniques
S0160 certutil [4][1] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0106 cmd [1] 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 横向工具传输, 移除指标: File Deletion, 系统信息发现, 输入工具传输
S1144 FRP [2][3] 代理, 代理: Multi-hop Proxy, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 命令与脚本解释器: JavaScript, 应用层协议: Web Protocols, 系统网络连接发现, 网络服务发现, 非应用层协议
S0357 Impacket [2][3][1] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0100 ipconfig [3] 系统网络配置发现
S0002 Mimikatz [3][1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [4][1] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0108 netsh [2][3][1] 事件触发执行: Netsh Helper DLL, 代理, 妨碍防御: Disable or Modify System Firewall, 软件发现: Security Software Discovery
S0104 netstat [4][1] 系统网络连接发现
S0359 Nltest [4][1] 域信任发现, 系统网络配置发现, 远程系统发现
S0097 Ping [2][1] 远程系统发现
S0029 PsExec [1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0075 Reg [1] 修改注册表, 未加密凭证: Credentials in Registry, 查询注册表
S0096 Systeminfo [3][4][1] 系统信息发现
S0057 Tasklist [3][4][1] 系统服务发现, 软件发现: Security Software Discovery, 进程发现
S1154 VersaMem VersaMem was used by Volt Typhoon as part of Versa Director Zero Day Exploitation.[7] 共享模块, 命令与脚本解释器, 客户端执行漏洞利用, 数据分段: Local Data Staging, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 网络嗅探, 输入捕获: Credential API Hooking
S0645 Wevtutil [3][1] 从本地系统获取数据, 妨碍防御: Disable Windows Event Logging, 移除指标: Clear Windows Event Logs

References

  1. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  2. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  3. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  4. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  1. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  2. US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024.
  3. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.