In the ever-evolving landscape of cybersecurity in 2023, the activities of state-sponsored Advanced Persistent Threat (APT) groups have become a significant area of focus. Among these, the Chinese APT group known as Volt Typhoon (alias: VANGUARD PANDA) has been identified as a key player. This group has been systematically linked to a series of cyber-attacks, specifically targeting critical infrastructure in the United States and other Western nations.
In the wake of escalating geopolitical tensions, the activities of Volt Typhoon have taken on a new urgency. The group’s focus on critical infrastructure – from power grids to water treatment facilities – has raised the stakes in the global cybersecurity arena. The potential for significant disruption and damage is real, and the need for robust cyber defenses has never been more critical.
This blog post aims to shed light on the tactics, techniques, and procedures (TTPs) employed by Volt Typhoon, as well as the Indicators of Compromise (IOCs) associated with their cyber-attacks. We will also explore the broader context of cyber warfare, drawing on recent events in Russia and Ukraine to highlight potential future threats.
By understanding the strategies of groups like Volt Typhoon, we can better prepare and protect our critical infrastructure against these evolving threats. So, let’s delve into the world of Volt Typhoon and uncover the secrets of this formidable Chinese APT group.
The Volt Typhoon APT
The Volt Typhoon APT is a state-sponsored group, believed to be operating out of China. The group has been active since mid-2021 and has been targeting critical infrastructure sectors in the US, including IT, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
The group’s modus operandi involves using ‘Living off the Land’ techniques, which involve the use of legitimate tools and processes already present in the target environment to maintain anonymity and evade detection. This approach makes it challenging to detect and mitigate the threat posed by the group.
Indicators of Compromise (IOCs)
Several IOCs have been associated with the Volt Typhoon APT. These include the use of PowerShell scripts, scheduled tasks, and WMI for persistence, along with the abuse of cloud storage services for data exfiltration. The group has also been known to use a variety of malware, including custom backdoors and publicly available tools.
The group has been observed using compromised Small-Office Home-Office (SOHO) devices (e.g. routers) to obfuscate the source of the activity. Most common types include ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe, and Zyxel USG devices. The group has also been observed exploiting vulnerabilities in widely used software including, but not limited to:
- CVE-2021-40539—ManageEngine ADSelfService Plus. CISA Advisory
- CVE-2021-27860—FatPipe WARP, IPVPN, MPVPN. IC3 Advisory
Indicators of Compromise (IOCs):
- SHA256 Hash: f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd
- Description: EarthWorm EK variant
- Filename: N/A
- Purpose: Used for initial access and lateral movement
- SHA256 Hash: ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31
- Description: Customized version of Impacket’s Wmiexec
- Filename: N/A
- Purpose: Used for lateral movement and execution of commands
- SHA256 Hash: d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca
- Description: Customized version of Fast Reverse Proxy (frp)
- Filename: N/A
- Purpose: Used for command and control communication
Tactics, Techniques, and Procedures (TTPs):
- T1560.001 – Archive Collected Data: Archive via Custom Method
- T1071.001 – Application Layer Protocol: Web Protocols
- T1573.002 – Encrypted Channel: Asymmetric Cryptography
- T1027 – Obfuscated Files or Information
- T1055.012 – Process Injection: Process Hollowing
- T1059.003 – Command and Scripting Interpreter: Windows Command Shell
- T1059.001 – Command and Scripting Interpreter: PowerShell
- T1569.002 – System Services: Service Execution
- T1105 – Ingress Tool Transfer
- T1071.001 – Application Layer Protocol: Web Protocols
- T1573.002 – Encrypted Channel: Asymmetric Cryptography
Commonly exploited CVEs by this threat actor:
- Apache Log4j (CVE-2021-44228) (NVD): This is a critical remote code execution vulnerability.
- Pulse Connect Secure (CVE-2019-11510) (NVD): This is a critical arbitrary file read vulnerability.
- GitLab CE/EE (CVE-2021-22205) (NVD): This is a critical remote code execution vulnerability.
- Atlassian Confluence Server and Data Center (CVE-2022-26134) (NVD): This is a critical remote code execution vulnerability.
- Microsoft Exchange (CVE-2021-26855) (NVD): This is a critical remote code execution vulnerability.
- F5 BIG-IP (CVE-2020-5902) (NVD): This is a critical remote code execution vulnerability.
- VMware vCenter Server (CVE-2021-22005) (NVD): This is a critical arbitrary file upload vulnerability.
- Citrix ADC (CVE-2019-19781) (NVD): This is a critical path traversal vulnerability.
- Cisco Hyperflex (CVE-2021-1497) (NVD): This is a critical command line execution vulnerability.
- Buffalo WSR (CVE-2021-20090) (NVD): This is a critical relative path traversal vulnerability.
- Atlassian Confluence Server and Data Center (CVE-2021-26084) (NVD): This is a critical remote code execution vulnerability.
- Hikvision Web Server (CVE-2021-36260) (NVD): This is a critical command injection vulnerability.
- Sitecore XP (CVE-2021-42237) (NVD): This is a critical remote code execution vulnerability.
- F5 BIG-IP (CVE-2022-1388) (NVD): This is a critical remote code execution vulnerability.
- Apache (CVE-2022-24112) (NVD): This is a critical authentication bypass vulnerability.
- ZOHO (CVE-2021-40539) (NVD): This is a critical remote code execution vulnerability.
- Microsoft (CVE-2021-26857) (NVD): This is a high severity remote code execution vulnerability.
- Microsoft (CVE-2021-26858) (NVD): This is a high severity remote code execution vulnerability.
- Microsoft (CVE-2021-27065) (NVD): This is a high severity remote code execution vulnerability.
- Apache HTTP Server (CVE-2021-41773) (NVD): This is a high severity path traversal vulnerability.
Please note that these
Threat Actors in China
China has a complex cyber threat landscape with several state-sponsored groups operating within its borders. Besides Volt Typhoon, other notable groups include APT10, APT19, and APT41. These groups have been involved in a wide range of activities, from cyber espionage to data theft and infrastructure disruption.
Previous Infrastructure Attacks
China has a history of launching cyber-attacks that could disrupt critical infrastructure services within the United States. Notable incidents include the Chinese Gas Pipeline Intrusion Campaign from 2011 to 2013, targeting U.S. oil and natural gas pipeline companies, and the recent attacks on global Managed Service Providers (MSPs) referred to as the CLOUD HOPPER campaign.
Lessons from recent conflicts
The ongoing conflict between Russia and Ukraine provides valuable insights into the potential escalation of cyber warfare. The war in Ukraine is the largest military conflict of the cyber age and the first to incorporate significant levels of cyber operations on all sides. Despite Russia’s cyber capabilities, it has fared poorly against Ukraine, indicating that even less cyber-capable nations can effectively defend against and retaliate to cyber-attacks.
Further Reading
- Microsoft’s detailed report on Volt Typhoon
- Tenable’s blog on Volt Typhoon’s MITRE ATT&CK TTPs
- IronNet’s blog on China’s cyber threat landscape
- CISA’s page on China’s previous infrastructure attacks
- Carnegie Endowment’s page on cyber warfare implications of Russia-Ukraine war
- Falcon Complete MDR Thwarts VANGUARD PANDA Tradecraft – CrowdStrike
- APT VANGUARD PANDA uses a new tradecraft in recent attacks – Security Affairs
- Volt Typhoon | CFR Interactives
- Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks
- Volt Typhoon: Hiding in Plain Sight – Critical Start
- China’s ‘Volt Typhoon’ APT Now Exploits Zoho ManageEngine – Dark Reading
In conclusion, the activities of the Volt Typhoon APT highlight the increasing threat posed by state-sponsored cyber actors to critical infrastructure. It is crucial for organisations to remain vigilant, understand the TTPs of these threat actors, and implement robust security measures to protect their assets.