Volt Typhoon, a Chinese state-sponsored cyber hacking group, has been targeting U.S. critical infrastructure since at least 2021, using various techniques – including “living-off-the-land” attacks – to gain entry to victim networks and steal sensitive information. Volt Typhoon is also known as the “Vanguard Panda.”
How Volt Typhoon uses “living-off-the-land” attacks to compromise critical infrastructure
Living-off-the-land attacks are file-less attacks that utilize existing tools and software on victim computers to gain entry. As they use existing programs to gain access, it can be hard to detect or defend against. Volt Typhoon takes advantage of built-in network administration tools to perform its objectives. This approach enables Volt Typhoon to evade detection by blending in with regular Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Volt Typhoon uses built-in tools, including wmic, ntdsutil, netsh, and PowerShell. A CISA Cybersecurity Advisory provides examples of the actor’s commands and detection signatures to aid network defenders in hunting for this activity. Detection can be difficult because many of the behaviors may appear benign and ignored by system administrations.
Volt Typhoon takes advantage of a two-year-old critical vulnerability in Zoho’s ManageEngine ADSelfService Plus, a single sign-on and password management solution, and additional undisclosed stealth mechanisms. Volt Typhoon appears flexible, with the ability to customize its tactics based on data gathered through extensive reconnaissance. In this case, the group utilized CVE-2021-40539 in ManageEngine for intrusion, then masked its Web shell as a legitimate process and erased logs as it went along. (Note that CVE-2021-50539 was patched in September 2021.)
A May 2023 Microsoft security brief details how “Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”
Volt Typhoon risks to U.S. Military security
In addition to posing risks to critical U.S. communications, manufacturing, utility services, transportation, and maritime infrastructure, Volt Typhoon poses a specific threat to the U.S. military, specifically the U.S. Navy.
If Volt Typhoon gains entry to military networks, they could gain access to sensitive data or disrupt operations – potentially even launch cyberattacks against them. A July 2023 New York Times article outlined how Volt Typhoon could give China the power to disrupt or slow American deployments or resupply operations, including during a Chinese move against Taiwan.
Volt Typhoon poses several threats to American military security:
- Steal sensitive data such as military plans, weapon designs, or troop movements.
- Hinder military operations by disrupting critical systems or networks.
- Launch cyberattacks against military targets.
The Volt Typhoon attacks demonstrate the growing risk of state-sponsored cyberattacks against critical infrastructure; organizations in these sectors should remain aware of potential vulnerabilities and take necessary precautions to safeguard themselves against potential breaches.