Is Your Organization Safe from Volt Typhoon's Attacks?

The Origin of Volt Typhoon

Volt Typhoon is a state-sponsored advanced persistent threat (APT) group linked to the People’s Republic of China (PRC). Active since at least mid-2021, this APT is known for targeting critical infrastructure organizations across the United States. Its operations are characterized by stealthy, hands-on-keyboard tactics aimed at espionage and maintaining access for long-term data exfiltration. Volt Typhoon is part of China’s broader cyber espionage agenda, focusing on compromising strategic targets and evading detection by relying heavily on built-in Windows tools and living-off-the-land techniques.

Targets

Volt Typhoon's Targets

Countries targeted by Volt Typhoon

While its primary focus has been on the United States, Volt Typhoon’s activities are likely not limited geographically, given China’s global intelligence objectives. The group's operations aim to monitor and potentially exploit geopolitical adversaries.

Industries targeted by Volt Typhoon

Volt Typhoon focuses on industries of strategic importance, including telecommunications, manufacturing, utility providers, and critical infrastructure sectors like energy and transportation. These targets suggest a motivation to gather intelligence and potentially disrupt operations.

Industries targeted by Volt Typhoon

Volt Typhoon focuses on industries of strategic importance, including telecommunications, manufacturing, utility providers, and critical infrastructure sectors like energy and transportation. These targets suggest a motivation to gather intelligence and potentially disrupt operations.

Volt Typhoon's victims

Although specific organizations are often undisclosed, Volt Typhoon has been observed compromising critical infrastructure entities and leveraging compromised systems for data collection. Their tactics suggest a focus on organizations that can yield valuable intelligence for national strategic advantages.

Attack Method

Volt Typhoon's Attach Method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

Volt Typhoon exploits vulnerabilities in internet-facing devices, particularly small-office/home-office (SOHO) network equipment, to gain initial access. Techniques include password spraying and exploiting poorly secured remote management protocols.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

Once access is established, the group elevates privileges to obtain higher-level control over the compromised network. This often involves abusing legitimate credentials.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

Volt Typhoon relies on living-off-the-land techniques, exclusively using built-in Windows tools such as PowerShell and Windows Management Instrumentation (WMI) to avoid detection. They avoid deploying malware to maintain stealth.

‍

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

They harvest credentials using tools like Mimikatz and search for sensitive information within compromised networks.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

The group uses commands to identify system configurations, user accounts, and network topology, enabling lateral movement and further exploitation.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

Volt Typhoon uses remote services and RDP to navigate through compromised systems while maintaining operational security.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

Data of interest, such as email communications, sensitive files, and infrastructure-related information, is identified and collected.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

Their execution phase includes executing scripts and commands to maintain persistence and achieve operational goals.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

They exfiltrate collected data using standard network protocols to blend with normal traffic and evade detection.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

Volt Typhoon primarily focuses on long-term intelligence collection rather than immediate disruptive actions. However, its capabilities could enable future sabotage operations.

Initial Access

Volt Typhoon exploits vulnerabilities in internet-facing devices, particularly small-office/home-office (SOHO) network equipment, to gain initial access. Techniques include password spraying and exploiting poorly secured remote management protocols.

Privilege Escalation

Once access is established, the group elevates privileges to obtain higher-level control over the compromised network. This often involves abusing legitimate credentials.

Defense Evasion

Volt Typhoon relies on living-off-the-land techniques, exclusively using built-in Windows tools such as PowerShell and Windows Management Instrumentation (WMI) to avoid detection. They avoid deploying malware to maintain stealth.

‍

Credential Access

They harvest credentials using tools like Mimikatz and search for sensitive information within compromised networks.

Discovery

The group uses commands to identify system configurations, user accounts, and network topology, enabling lateral movement and further exploitation.

Lateral Movement

Volt Typhoon uses remote services and RDP to navigate through compromised systems while maintaining operational security.

Collection

Data of interest, such as email communications, sensitive files, and infrastructure-related information, is identified and collected.

Execution

Their execution phase includes executing scripts and commands to maintain persistence and achieve operational goals.

Exfiltration

They exfiltrate collected data using standard network protocols to blend with normal traffic and evade detection.

Impact

Volt Typhoon primarily focuses on long-term intelligence collection rather than immediate disruptive actions. However, its capabilities could enable future sabotage operations.

MITRE ATT&CK Mapping

TTPs used by Volt Typhoon

TA0001: Initial Access

T1078

Valid Accounts

TA0002: Execution

T1203

Exploitation for Client Execution

T1059

Command and Scripting Interpreter

T1047

Windows Management Instrumentation

TA0003: Persistence

T1078

Valid Accounts

TA0004: Privilege Escalation

T1078

Valid Accounts

TA0005: Defense Evasion

T1562

Impair Defenses

T1078

Valid Accounts

TA0006: Credential Access

T1003

OS Credential Dumping

TA0007: Discovery

T1087

Account Discovery

T1016

System Network Configuration Discovery

TA0008: Lateral Movement

No items found.

TA0009: Collection

No items found.

TA0011: Command and Control

T1105

Ingress Tool Transfer

T1071

Application Layer Protocol

TA0010: Exfiltration

No items found.

TA0040: Impact

No items found.

Platform Detections

How to Detect Volt Typhoon with Vectra AI

List of the Detections available in the Vectra AI Platform that would indicate a cyberattack.

FAQs