- Source: Volt Typhoon
Volt Typhoon (also known as VANGUARD PANDA, BRONZE SILHOUETTE, Redfly, Insidious Taurus, Dev-0391, Storm-0391, UNC3236, or VOLTZITE) is an advanced persistent threat engaged in cyberespionage reportedly on behalf of the People's Republic of China. Active since at least mid-2021, the group is known to primarily target United States manufacturing, utility, transportation, construction, maritime, defense, information technology, and education sectors. Volt Typhoon focuses on espionage, data theft, and credential access.
According to Microsoft, the group goes to great lengths to avoid detection, and its campaigns prioritize capabilities which enable China to sabotage critical communications infrastructure between the US and Asia during potential future crises. The US government believes the group's goal is to slow down any potential US military mobilization that may come following a Chinese invasion of Taiwan. The Chinese government denies the group exists.
Names
Volt Typhoon is the name currently assigned to the group by Microsoft, and is the most widely used name for the group. The group has also been variously referred to as:
Dev-0391 (by Microsoft, initially)
Storm-0391 (by Microsoft, initially)
BRONZE SILHOUETTE (by Secureworks, a subsidiary of Dell)
Insidious Taurus (by Palo Alto Networks Unit 42)
Redfly (by Gen Digital, formerly Symantec)
UNC3236 (by Mandiant, a subsidiary of Google)
VANGUARD PANDA (by CrowdStrike)
VOLTZITE (by Dragos)
Methodology
According to a joint publication by all of the cybersecurity and signals intelligence agencies of the Five Eyes, Volt Typhoon's core tactics, techniques, and procedures (TTPs) include living off the land, using built-in network administration tools to perform their objectives and blending in with normal Windows system and network activities. This tactic avoids endpoint detection and response (EDR) programs which would alert on the introduction of third-party applications to the host, and limits the amount of activity captured in default logging configurations. Some of the built-in tools used by Volt Typhoon are: wmic, ntdsutil, netsh, and Powershell.
The group initially uses malicious software that penetrates internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that have not been updated regularly. Once they gain access to a target, they put a strong emphasis on stealth, almost exclusively relying on living-off-the-land techniques and hands-on-keyboard activity.
Volt Typhoon rarely uses malware in their post-compromise activity. Instead, they issue commands via the command line to first collect data, including credentials from local and network systems, put the data into an archive file to stage it for exfiltration, and then use the stolen valid credentials to maintain persistence. Some of these commands appear to be exploratory or experimental, as the operators adjust and repeat them multiple times. In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office network equipment, including routers, firewalls, and VPN hardware. They have also been observed using custom versions of open source tools to establish a command and control (C2) channel over proxy to further hidden.
In many ways, Volt Typhoon functions similarly to traditional botnet operators, taking control of vulnerable devices such as routers and security cameras to hide and establish a beachhead in advance of using that system to launch future attacks. Operating this way makes it difficult for cybersecurity defenders to accurately identify the source of an attack.
According to Secureworks (a division of Dell), Volt Typhoon's interest in operational security "likely stemmed from embarrassment over the drumbeat of US indictments [of Chinese state-backed hackers] and increased pressure from Chinese leadership to avoid public scrutiny of its cyberespionage activity."
According to cybersecurity researcher Ryan Sherstobitoff, "Unlike attackers who vanish when discovered, this adversary digs in even deeper when exposed".
Notable campaigns
= Attacks on US Navy
=The US government has repeatedly detected activity on systems in the US and Guam designed to gather information on U.S. critical infrastructure and military capabilities, but Microsoft and the agencies said the attacks could be preparation for a future attack on U.S. critical infrastructure.
= Singtel breach
=In June 2024, Singtel was breached by Volt Typhoon. Following a report by Bloomberg News in November 2024, Singtel responded that it had "eradicated" malware from the threat.
Disruption
In January 2024, the FBI announced that it had disrupted Volt Typhoon's operations by undertaking court-authorized operations to remove malware from US-based victim routers, and taking steps to prevent reinfection.
Response from China
The Chinese government denied any involvement in Volt Typhoon and stated that Volt Typhoon is a misinformation campaign by U.S. intelligence agencies, according to state media outlet Xinhua News Agency and China's National Computer Virus Emergency Response Center (CVERC).
References
Kata Kunci Pencarian:
- Jules Bianchi
- Dengeki Sentai Changeman
- Daftar permainan arkade
- Volt Typhoon
- Singtel
- Advanced persistent threat
- Cyberwarfare by China
- Sophos
- Cyberattacks by country
- Chinese intelligence activity abroad
- Chinese espionage in the United States
- List of Magpakailanman (first incarnation) episodes
- Chevrolet Silverado (first generation)
