Volt Typhoon: The Chinese APT Group Abuse LOLBins for Cyber Espionage

On May 24th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on a state-sponsored Chinese APT group, Volt Typhoon [1]. Volt Typhoon threat actors focus on cyber espionage campaigns that target critical infrastructure organizations in the United States and Asia region.  For their malicious operations, the APT group primarily uses Living Off The Land Binaries (LOLBins) to evade detection and remain undetected in their target's network.

In this blog post, we explained the tools and techniques used by Volt Typhoon and how they abuse Living Off The Land Binaries (LOLBins).

Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform

Volt Typhoon: PRC State-Sponsored Cyber Espionage Group

Volt Typhoon (also known as BRONZE SILHOUETTE) is a People's Republic of China (PRC) state-sponsored APT group that focuses on stealthy and targeted cyber espionage campaigns against critical infrastructure organizations. The threat group has been actively targeting communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors for nearly two years. 

The main objective of Volt Typhoon is to collect and exfiltrate sensitive information while avoiding detection. For this purpose, the APT group uses living-off-the-land techniques to mask their malicious activities as legitimate operations. The typical espionage campaign for Volt Typhoon follows initial access, living-off-the-land reconnaissance, lateral movement, and data exfiltration through C2 channels, in this order. In each step, adversaries use defense evasion techniques to hide their tracks.

Techniques and LOLBins used by Volt Typhoon

Initial Access

T1078 Valid Accounts & T1190: Exploit Public-Facing Application

Volt Typhoon gains initial access to their target's environment via stolen credentials of valid accounts. Also, Volt Typhoon is known to exploit public-facing Fortinet FortiGuard devices, ManageEngine ADSelfService Plus CVE-2021-40539 RCE, and FatPipe CVE-2021-27860 RCE vulnerabilities for initial access.

Execution

T1047 Windows Management Instrumentation

Adversaries use Windows Management Instrumentation for discovery, credential dumping, and command execution.

T1059 Command and Scripting Interpreter

Threat actors use PowerShell and Windows Command Shell to execute malicious commands in compromised hosts.

Persistence

T1505.003 Server Software Component: Web Shell

Volt Typhoon deploys backdoor web shells to maintain persistent access to compromised networks. The webshell appears to be a derivative of the Awen webshell that includes AES-encrypted or base64-encoded communication capabilities for C2. 

Defense Evasion

T1546 Hide Artifacts & T1070 Indicator Removal

Volt Typhoon selectively removes Windows Event Logs, system logs, artifacts, and other evidence of their malicious activity to hide their presence and limit threat- hunting activities.

Credential Access

T1003 OS Credential Dumping

As a cyber espionage group, Volt Typhoon gathers credentials of valid accounts in their victims' network. These credentials help them navigate and execute commands in the network without raising alerts. For credential dumping, they extract ntds.dit file and SYSTEM registry hive from Windows domain controllers or volume shadow copies. From the extracted ntds.dit and SECURITY files, Volt Typhoon harvest credentials of valid accounts.

Discovery

Volt Typhoon enumerates compromised networks to discover users, hosts, and services. The gathered information is leveraged in data exfiltration and lateral movement phases of the attack campaign.

Command and Control

T1090 Proxy

Volt Typhoon uses compromised small office/home office (SOHO) network devices as a proxy to hide the malicious traffic between their victims' network and C2 servers.

How Picus Helps Simulate Volt Typhoon Attacks?

We also strongly suggest simulating Volt Typhoon attacks to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other state-sponsored threat actors, such as Lazarus, Turla, APT33, and Sandworm, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Volt Typhoon group: 

References

[1] "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a