How Volt Typhoon Works and 4 Indicators You’ve Been Compromised
Volt Typhoon is a sophisticated cyber espionage group linked to China, known for its stealthy and strategic attacks on U.S. critical infrastructure. This group utilizes advanced "living off the land" techniques, which involve leveraging existing tools and legitimate administrative software within the targeted networks. This makes their activities harder to detect and attribute, posing a significant challenge to traditional cybersecurity defenses. Below is an explanation first of 5 ways Volt Typhoon operates, along with a list of four indicators of compromise (IoCs).
5 Techniques Employed by Volt Typhoon
It’s Not Malware
Volt Typhoon avoids using custom malware that can be easily detected by antivirus systems. Instead, they use built-in network administration tools such as PowerShell, Windows Management Instrumentation (WMI), and the command line interface known as Living Off The Land. These tools are legitimate and commonly used for network management, allowing the attackers to blend in with regular network activity.
Credential Theft and Lateral Movement
Once inside a network, Volt Typhoon focuses on stealing credentials to move laterally across the network. This is often achieved through techniques such as pass-the-hash, pass-the-ticket, and exploiting weak or reused passwords. By gaining access to higher-privileged accounts, they can expand their reach within the network and access more sensitive systems.
Use of Small Office and Home Devices
To obscure their activities further, Volt Typhoon routes its traffic through compromised small office and home network devices, such as routers and VPN appliances. This tactic makes it harder to trace their operations back to the original source.
Data Exfiltration
The primary goal of Volt Typhoon is to gather intelligence. They exfiltrate data by using legitimate tools and protocols, making the traffic appear normal. This includes using tools like Rclone for transferring data to cloud storage services.
Persistence Mechanisms
To maintain long-term access to the compromised networks, Volt Typhoon employs various persistence mechanisms. These can include creating new user accounts with elevated privileges, modifying system configurations to allow remote access, and using scheduled tasks or services that execute their payloads.
4 Signs You Have Been Compromised
Detecting Volt Typhoon can be challenging due to their use of legitimate tools and evasion techniques. However, several indicators of compromise (IoCs) can help in identifying their presence:
1. Unusual Use of Administrative Tools:
Unexpected execution of PowerShell scripts and commands.
Abnormal WMI activity, especially related to lateral movement and remote code execution.
Unusual command line usage that deviates from normal administrative patterns.
2. Network Traffic Anomalies:
Network traffic routed through known Small Office and Home devices, particularly if these devices are not usually part of the organization's infrastructure.
Increased use of cloud storage services like Dropbox, Google Drive, or Microsoft OneDrive for data exfiltration.
3. Suspicious Authentication Activities:
Login attempts from unusual locations or IP addresses, especially those related to known compromised devices.
Multiple failed login attempts followed by successful logins, indicating possible brute-force or credential stuffing attacks.
4. Persistence Indicators:
New user accounts with elevated privileges that were not created through the usual administrative processes.
Unusual modifications to system configurations or the presence of new scheduled tasks that do not align with typical operations.
Known IoCs from Security Reports:
Your Managed Security Provider can pull specific IP addresses, domain names, and file hashes associated with known Volt Typhoon activities as documented by cybersecurity firms and government agencies.
We Can Help Protect Your Home and Office
For more information, or to find out how you protect your home/office from being used or targeted by Volt Typhoon actors, contact Trusted Internet at staysafeonline@trustedinternet.io.