Volt Typhoon, a state-sponsored cyber group associated with the People's Republic of China, has emerged as a notable threat to U.S. critical infrastructure, seeking to secure persistent access for potential future operations. The Tenable Security Response Team delves into the tactics, techniques, and procedures (TTPs) employed by this sophisticated actor.
The cyber landscape is in a constant state of flux, with various malicious entities, from ransomware crews to small hacking groups, consistently posing new threats. In this intricate environment, advanced persistent threat (APT) actors like Volt Typhoon remain significant. "We see a meticulous approach from Volt Typhoon, planning every move as they aim to exploit potential vulnerabilities in critical infrastructures," said the Tenable Security Response Team.
"We see a meticulous approach from Volt Typhoon, planning every move as they aim to exploit potential vulnerabilities in critical infrastructures,"
This state-sponsored group has garnered attention due to multiple cybersecurity advisories from the Cybersecurity and Infrastructure Security Agency (CISA), highlighting continued breaches targeting a wide array of sectors, including communications, energy, transportation, and water systems. Reports indicate that Volt Typhoon is not only skilled in infiltrating networks but is also focused on operational technology (OT) environments, emphasizing the potential impact of their actions.
Historically linked to the alias BRONZE SILHOUETTE, Volt Typhoon has been recognized under various names by different intelligence entities. Microsoft refers to them as DEV-0391, while Mandiant (FireEye) designates them as UNC3236. Additionally, CrowdStrike tracks this group as Vanguard Panda. The group’s adaptability is further evidenced through their evasive techniques, which involve blending malicious activity within seemingly innocuous network traffic.
"Volt Typhoon demonstrates an advanced capability to maintain presence in networks through the use of living off the land (LOTL) techniques. They often rely on existing system tools, allowing them to customize their operations to avoid detection,=" said an expert at Tenable. Rather than deploying automated malware, Volt Typhoon prefers hands-on-keyboard attacks, facilitating tailored recon efforts against their targets.
The initial phase of an attack often involves exploiting unpatched vulnerabilities and weak credentials. "They take advantage of publicly exposed systems, such as firewalls and VPN appliances," noted the team. This strategy is part of Volt Typhoon's modus operandi to gain and retain access to sensitive networks.
"They take advantage of publicly exposed systems, such as firewalls and VPN appliances,"
Through compromised small-office home-office (SOHO) routers, Volt Typhoon obscures its network activity by routing through these devices, which can often be unsecured. Noteworthy affected brands include ASUS, Cisco, Fortinet, and others known for their consumer-grade products, making them particularly vulnerable. "By utilizing these devices, they mask their traffic to appear legitimate, effectively bypassing geolocation firewall rules," explained a network security analyst.
"By utilizing these devices, they mask their traffic to appear legitimate, effectively bypassing geolocation firewall rules,"
Among the critical vulnerabilities that facilitate Volt Typhoon’s incursions are misconfiguration and lack of updates on internet-accessible devices. The group capitalizes on this to further their agenda. When asked about the implications, a cybersecurity expert remarked, "Entities need to prioritize the security of perimeter devices to mitigate risks from persistent threats like Volt Typhoon. Regular audits and prompt patching of vulnerabilities can significantly reduce exposure."
As the threat landscape evolves, key sectors must remain vigilant against the sophisticated tactics employed by state-sponsored actors like Volt Typhoon. Effective cybersecurity measures, continuous monitoring, and adopting proactive defense strategies will be crucial in safeguarding critical infrastructure from these emerging threats.