Volt Typhoon is a state-sponsored APT, widely attributed to China, targeting critical infrastructure and government-adjacent entities with sophisticated, stealthy operations. Recent U.S. government actions disrupted a Volt Typhoon botnet and highlighted the need for coordinated resilience and incident reporting. #VoltTyphoon #BronzeSilhouette #CVE-2021-27860 #CVE-2021-40539 #CVE-2023-27350 #SOCRadar #CISA
Keypoints
- Volt Typhoon (aka BRONZE SILHOUETTE) is a sophisticated state-sponsored APT believed to originate from China and active across government and private sectors.
- The group focuses on intelligence gathering and uses precise planning, custom malware, and stealthy infiltration, with U.S., Europe, and Asia as targets.
- Their attack methods combine Living off the Land (LotL) techniques, spear phishing, rapid exploitation of public CVEs, and bespoke malware tooling.
- Notable operations include targeting U.S. critical infrastructure, espionage campaigns against defense and government entities, and a national grid compromise in Asia.
- U.S. government actions (DOJ/CISA) disrupted Volt Typhoon’s botnet and emphasized reporting, resilience, and security-by-design in product development.
- The campaign is mapped to a broad set of MITRE ATT&CK techniques, including initial access, credential access, discovery, and data collection phases.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – They use spear phishing and malicious attachments/links leading to web pages that deploy exploit techniques. “Spear Phishing: One of their primary infiltration methods involves crafting highly customized phishing emails tailored to lure specific individuals or departments within an organization. These emails often contain malicious attachments or links, leading to web pages that deploy exploit techniques.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – The attack framework includes PowerShell usage as part of execution. “Command and Scripting Interpreter: PowerShell”
- [T1505.003] Web Shell – Persistence and execution via server-side web shells. “Server Software Component: Web Shell”
- [T1584.004] Compromise Infrastructure: Server – Use of server infrastructure and botnet capabilities to support operations. “Compromise Infrastructure: Server” and “Botnet”
- [T1078.002] Valid Accounts: Domain Accounts – Credential reuse and domain account abuse to maintain access. “Valid Accounts: Domain Accounts”
- [T1036.005] Masquerading: Match Legitimate Name or Location – Obscuring tools or files by name or path to blend in. “Masquerading: Match Legitimate Name or Location”
- [T1036.008] Masquerading: Masquerade File Type – Hiding file types to evade detection. “Masquerading: Masquerade File Type”
- [T1007] Process Discovery – Identifying running processes to inform actions. “Process Discovery”
- [T1082] System Information Discovery – Collecting system information to tailor attacks. “System Information Discovery”
- [T1018] Remote System Discovery – Discovering reachable remote systems for lateral movement. “Remote System Discovery”
- [T1518] Software Discovery – Identifying installed software to pick targets or tools. “Software Discovery”
- [T1560.001] Archive Collected Data: Archive via Utility – Exfiltration preparation by archiving data. “Archive Collected Data: Archive via Utility”
Indicators of Compromise
- [IOC Type] IP – Volt Typhoon operational IPs include 104.161.54[.]203, 109.166.39[.]139, and 23.227.198[.]247
- [IOC Type] CVE – CVE-2021-27860, CVE-2021-40539, and CVE-2023-27350
- [IOC Type] HASH – ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31, d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca, and 3 more hashes
For more IOCs, you can visit the Threat Actor/Malware page under the CTI module of SOCRadar XTI Platform.