Volt Typhoon is a China-based state-sponsored actor targeting US critical infrastructure with stealthy post‑compromise credential access and network discovery. The campaign relies on living-off-the-land techniques and traffic proxying through compromised devices to maintain long‑term access and avoid detection. #VoltTyphoon #Fortinet
Keypoints
- Volt Typhoon is a state-sponsored actor targeting US critical infrastructure across multiple sectors (communications, manufacturing, utilities, transportation, construction, maritime, government, IT, education).
- The campaign emphasizes stealth, LOLBins, and hands-on-keyboard activity, with minimal use of traditional malware.
- Initial access is achieved via internet-facing Fortinet FortiGuard devices, with credential extraction from the device’s AD account and attempted lateral movement.
- Traffic is proxied through compromised SOHO edge devices (routers, etc.) to blend in with normal network activity and reduce overhead.
- Post-compromise activity centers on credential access (LSASS dumps, NTDS), data collection, and staging data in password-protected archives.
- Discovery and collection involve system information, drive details, running processes, PowerShell/WMIC usage, and checks for virtualization; they also dump browser data and attempt domain controller installation media.
MITRE Techniques
- [T1133] External Remote Services – Volt Typhoon achieves initial access via internet-facing Fortinet FortiGuard devices. “Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices.”
- [T1078] Valid Accounts – They extract credentials to an Active Directory account and use them to authenticate to other devices. “The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.”
- [T1090] Proxy – They route traffic through compromised SOHO network edge devices (routers, etc.). “Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices…”
- [T1090] Proxy – Port proxy usage on compromised systems via netsh portproxy. “They accomplish this with the built-in netsh portproxy command.”
- [T1059] Command and Scripting Interpreter – Post‑compromise hands-on-keyboard activity via the command line. “begin conducting hands-on-keyboard activity via the command line.”
- [T1059.001] PowerShell – Discovery and lateral movement using PowerShell. “PowerShell” is listed among tools used to discover and operate.
- [T1047] Windows Management Instrumentation – Use of WMIC to discover and operate. “Windows Management Instrumentation Command-line (WMIC)…”
- [T1082] System Information Discovery – Discovery of system information (file system types, drive details, processes, open networks). “discovering system information, including file system types; drive names, size, and free space; running processes; and open networks.”
- [T1560.001] Archive Collected Data – Staging data in password-protected archives. “staging collected data in password-protected archives.”
- [T1003.001] LSASS Memory – Dumping credentials from LSASS. “dump credentials through the Local Security Authority Subsystem Service (LSASS).”
- [T1003.003] NTDS – Creating domain controller installation media to obtain domain credentials. “Ntdsutil.exe to create installation media from domain controllers, either remotely or locally.”
- [T1059.003] Browsers and Credentials – Dumping information from local web browser applications. “dumps information from local web browser applications.”
Indicators of Compromise
- [File hash] Volt Typhoon custom FRP executable – baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c, b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74, and 17 more hashes