In recent months, Microsoft has uncovered a series of stealthy and targeted malicious activities carried out by a state-sponsored actor known as Volt Typhoon. This threat group, believed to be based in China, has a history of focusing on espionage and information gathering. Their recent campaign, which started in mid-2021, targets explicitly critical infrastructure organizations in the United States, particularly interested in Guam and other locations. In this threat research, we will delve into the tactics, techniques, and procedures employed by Volt Typhoon, shedding light on their objectives and the potential risks they pose to international communication infrastructure.

Background on Volt Typhoon

Volt Typhoon is a highly sophisticated threat actor group operating for several years. While attribution in the cyber realm can be challenging, Microsoft's research and analysis have provided moderate confidence that Volt Typhoon is a state-sponsored actor based in China. Their primary focus is on carrying out espionage activities and gathering sensitive information. The group has demonstrated advanced capabilities and persistence, often aiming to maintain long-term access to compromised networks without detection.

Scope of the Campaign

The current campaign conducted by Volt Typhoon has targeted critical infrastructure organizations across various sectors. These sectors include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. By targeting such diverse industries, Volt Typhoon aims to gather a wide range of information that could be valuable for espionage purposes. The group's primary objective is to achieve and maintain unauthorized access to target networks using sophisticated techniques and living-off-the-land binaries (LOLBins).

TTPs and Attack Methodology

Volt Typhoon's campaign relies heavily on stealth and legitimate tools and processes. By employing living-off-the-land techniques and hands-on-keyboard activity, the threat group deviates from traditional malware-based operations. Instead, it leverages existing system tools and commands to minimize their reliance on malware, to achieve their objectives, making detection and mitigation challenging for defenders. The following sections provide a detailed analysis of the tactics and techniques observed in Volt Typhoon's post-compromise activities.

Command-line Operations and Data Collection

Volt Typhoon's operations involve executing commands via the command line interface. The threat actor's primary focus is on data collection, including the acquisition of credentials from both local and network systems. They store the collected data in archive files, preparing it for exfiltration. Volt Typhoon takes advantage of stolen valid credentials to maintain persistence within compromised networks.

Leveraging Compromised Small Office and Home Office (SOHO) Network Equipment

To obfuscate their activities and blend into normal network traffic, Volt Typhoon routes their communication through compromised small office and home office (SOHO) network equipment such as routers, firewalls, and VPN hardware. This technique helps them remain under the radar and enhances the stealth of their operations.

Custom Command and Control (C2) Channel

Volt Typhoon has been observed using custom versions of open-source tools to establish a command and control (C2) channel over proxy connections. This method allows them to maintain control over compromised systems while minimizing the risk of detection. By leveraging a proxy, the threat actor can further evade network security measures.

Volt Typhoon: Attack-Flow Diagram

Initial Access

To gain initial access to targeted organizations, Volt Typhoon focuses on exploiting internet-facing Fortinet FortiGuard devices. Microsoft's ongoing investigation aims to uncover the specific methods employed by the threat actor to exploit these devices and gain unauthorized access. Once access is obtained, the threat actors extract credentials associated with an Active Directory account used by the Fortinet device. They then attempt to authenticate to other devices on the network using these stolen credentials.

Proxying and Network Traffic Routing

To enhance their stealth and minimize detection, Volt Typhoon proxies all network traffic through compromised small office and home office (SOHO) network edge devices, such as routers. These devices, manufactured by companies like ASUS, Cisco, D-Link, NETGEAR, and Zyxel, are exploited by the threat actors to route their traffic, making it difficult to track their activities. Organizations that use such devices should ensure that management interfaces are not exposed to the public internet to reduce the attack surface.

Living-off-the-Land and Command-Line Activity

Volt Typhoon's post-compromise activities primarily involve hands-on-keyboard activity using command-line tools. They rely on living-off-the-land binaries (LOLBins) and commands to collect data, discover additional devices on the network, and exfiltrate sensitive information. The group has been observed using the Local Security Authority Subsystem Service (LSASS) to dump credentials from memory, specifically targeting operating system (OS) credentials.

Base64-encoded LSASS process memory dump command by Volt Typhoon (Microsoft)

Base64 decoded Volt Typhoon LSASS memory dump command (Microsoft)

Additionally, they frequently employ the command-line tool Ntdsutil.exe to create these installation media files contain usernames and password hashes, which can be cracked offline, providing the attackers with valid domain account credentials that can be used to regain access if necessary, allowing the group to move laterally within the compromised network.

Remote creation of DC installation media by Volt Typhoon

Volt Typhoon DC installation media creation command

Credential Theft and Privilege Escalation

Once inside the network, Volt Typhoon focuses on credential theft and privilege escalation. They utilize various techniques, including the extraction of credentials from memory using tools like Mimikatz, and the exploitation of misconfigurations and vulnerabilities to elevate their privileges. By acquiring higher-level access, the threat actors can move freely within the network and access sensitive information.

Data Exfiltration

Volt Typhoon's ultimate goal is to exfiltrate valuable data from the compromised network. They employ a series of techniques to achieve this, including compressing data into multiple encrypted archives and exfiltrating them via various network protocols, such as HTTP and DNS. The group is known to use steganography techniques to conceal data within image files, making detection and analysis more challenging.

Persistence and Covering Tracks

To maintain long-term access to compromised networks, Volt Typhoon establishes persistence mechanisms. They create backdoors, install malicious services, and modify registry settings to ensure they can regain access even if initial access points are discovered and mitigated. Additionally, the threat group takes steps to cover their tracks by deleting log files and other evidence of their activities, making it more difficult for defenders to detect and investigate their presence.

Attribution and Motivation

While attribution in the cyber realm can be complex and challenging, Microsoft's research indicates that Volt Typhoon is a state-sponsored actor based in China. The group's activities align with the objectives of traditional state espionage, with a focus on gathering intelligence and acquiring sensitive information. The specific motivations and targets of Volt Typhoon's operations are not publicly disclosed, but they appear to have a particular interest in critical infrastructure organizations, potentially to gain a strategic advantage or to gather information that could be used in future operations.

Discovery

Volt Typhoon conducts extensive discovery activities to gather information about the compromised systems and the network as a whole. They use various commands, including PowerShell, Windows Management Instrumentation Command-line (WMIC), and ping, to identify file system types, drive names, running processes, open networks, and other systems on the network. The threat actors also perform checks to determine if they are operating within a virtualized environment.

Command & Control

Volt Typhoon primarily gains access to compromised systems by signing in with valid credentials, mimicking the behavior of authorized users. In some cases, however, they create proxies on compromised systems using the built-in netsh portproxy command.

Volt Typhoon commands: Create & delete port proxy

This facilitates their ability to maintain a persistent connection to the compromised systems and enables them to remotely control the compromised devices without raising suspicion. By using proxies, they can route their command and control (C2) communications through the compromised systems, making it harder for defenders to detect and block their activities. Proxies also help them evade network monitoring and intrusion detection systems that may be in place within the target environment.

Defence Against Volt Typhoon

To effectively defend against this campaign, the following measures should be implemented:

• Strengthen authentication: Implement robust multi-factor authentication (MFA) policies using hardware security keys or Microsoft Authenticator. Additionally, consider implementing passwordless sign-in, password expiration rules, and deactivating unused accounts to minimize the risk associated with compromised valid accounts.

• Reduce the attack surface: Microsoft customers can enable specific attack surface reduction rules to counteract observed activity related to this threat. These rules include blocking credential stealing from the Windows local security authority subsystem (lsass.exe), blocking process creations originating from PSExec and WMI commands, and blocking the execution of potentially obfuscated scripts. Although compatibility issues may arise on certain server systems with the PSExec and WMI rule, it is still recommended to deploy it on other systems to prevent lateral movement originating from these methods.

• Enhance LSASS process security: Enable Protected Process Light (PPL) for LSASS on Windows 11 devices to harden the security of the LSASS process. This feature is enabled by default on new enterprise-joined Windows 11 (22H2 update) installs. Additionally, enable Windows Defender Credential Guard, which is also turned on by default for organizations using the Enterprise edition of Windows 11.

• Utilize cloud-delivered protection: Activate cloud-delivered protection in Microsoft Defender Antivirus to ensure coverage against rapidly evolving attacker tools, techniques, and behaviors, including those demonstrated by Volt Typhoon.

• Implement endpoint detection and response (EDR) in block mode: Configure endpoint detection and response (EDR) in block mode to enable Microsoft Defender for Endpoint to block malicious artifacts. This is particularly useful when non-Microsoft antivirus solutions fail to detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode operates behind the scenes to remediate detected malicious artifacts even after compromise.

Mitigation and Recommendations

To defend against the activities of Volt Typhoon and similar APT groups, organizations should consider implementing the following mitigation measures:

• Vulnerability Management: Regularly patch and update all systems, including internet-facing devices, to mitigate the risk of exploitation. Stay informed about security vulnerabilities and apply patches promptly.

• Network Segmentation: Implement network segmentation to limit the lateral movement of threat actors within the network. This can help contain any potential breaches and minimize the impact of a successful intrusion.

• Privileged Access Management: Enforce strong access controls and regularly review and manage user privileges. Implement the principle of least privilege (PoLP) to restrict access to critical systems and data.

• Network Monitoring: Deploy robust network monitoring and intrusion detection systems (IDS) to detect any anomalous activities or suspicious network traffic. Monitor outbound connections for signs of data exfiltration.

• Employee Education: Conduct regular security awareness training to educate employees about phishing techniques, social engineering, and the importance of following secure practices, such as using strong passwords and avoiding suspicious links or attachments.

• Incident Response Planning: Develop an incident response plan that outlines the steps to be taken in the event of a security breach. Regularly test and update the plan to ensure its effectiveness.

• Threat Intelligence Sharing: Collaborate with industry peers and share threat intelligence information to stay informed about emerging threats and improve defenses collectively.

Indicators of Compromise were identified during our investigation:

Volt Typhoon custom FRP executable (SHA-256):

baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349 c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267 93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61 c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984 17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2 d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642