China-linked Threats to Operational Technology

The report analyzes four China-linked APT incidents (Volt Typhoon, APT27, APT31, and BlackTech) that targeted organizations using operational technology, describing the TTPs used to access, persist, and potentially disrupt OT environments. It highlights router-based botnets, multiple backdoors (e.g., ChargeWeapon, FourteenHi), exploitation of public-facing appliances, and recommends ASR rules, MFA, segmentation, and application control. #VoltTyphoon #ChargeWeapon

Keypoints

Four China-linked threat groups (Volt Typhoon, APT27, APT31, BlackTech) targeted OT-relevant organizations over the past 12 months, using espionage and disruption techniques.
Volt Typhoon used a router-based botnet (end-of-life Cisco/NetGear devices) and multi-hop proxies to pre-position for potential OT disruption.
APT27 and APT31 deployed multiple backdoors and downloaders (e.g., ChargeWeapon, FourteenHi, MeatBall) to establish persistence and exfiltrate data from OT/air-gapped environments.
Common TTPs include RDP lateral movement, exploitation of public-facing appliances, ingress tool transfer, PowerShell and WMI abuse, reconnaissance, masquerading, and payload deobfuscation.
Practical mitigations recommended include application control, Windows Defender ASR rules (block obfuscated scripts; block process creations from PSExec/WMI), MFA for RDP, segmentation, jump boxes, WAFs, patching, and WMI auditing.

MITRE Techniques

[T1021.001] Remote Services: RDP – Used for lateral movement to domain controllers: [‘Volt Typhoon has been known to move laterally to the domain controller (DC) via an interactive Remote Desktop Protocol (RDP) session using a compromised account with domain administrator privileges.’]
[T1190] Exploit Public-Facing Application – Exploited vulnerabilities in network appliances to gain access: [‘Volt Typhoon commonly exploits vulnerabilities in networking appliances such as Fortinet, Ivanti, NETGEAR, Citrix, and Cisco.’]
[T1105] Ingress Tool Transfer – Downloaded tools and payloads onto compromised hosts (including outdated admin DLLs and malware downloaders): [‘the threat group downloaded an outdated version of comsvcs.dll on the DC in a nonstandard folder.’]
[T1059.001] Command and Scripting Interpreter: PowerShell – Used to execute reverse-proxy clients and download encoded payloads: [‘These clients, when executed via PowerShell, open reverse proxies between the compromised system and Volt Typhoon C2 servers.’; ‘APT27 uses base64-encoded PowerShell to download malware artifacts and drops them under c:programdata’]
[T1047] Windows Management Instrumentation – WMI/WMIC used to execute tools and collect data (including NTDS.dit theft): [‘Volt Typhoon has used Windows Management Instrumentation Console (WMIC) commands to execute ntdsutil to copy NTDS.dit and SYSTEM registry hive from the volume shadow copy.’]
[T1592] Gather Victim Host Information – Extensive reconnaissance and host profiling to identify high-value targets: [‘Volt Typhoon conducts extensive pre-compromise reconnaissance… to gather host, identity, and network information…’]
[T1036.005] Masquerading: Match Legitimate Name or Location – Cleared logs and masqueraded files/C2 to evade detection: [‘Volt Typhoon has selected cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names.’]
[T1140] Deobfuscate/Decode Files or Information – Use of RC4/XOR to decrypt configs and payloads to evade detection: [‘APT31 uses RC4 key to decrypt the malware configuration…’; ‘APT27 has used a one-byte-length key (0x01) to decrypt an XOR-encrypted Cobalt Strike payload to evade signature-based malware detection.’]
[T0812] Use of Default OT Vendor Credentials – Attempted access to OT assets using vendor defaults: [‘Volt Typhoon attempted to gain access to OT assets by using default OT vendor credentials (T0812).’]
[T0859] NTDS.dit Theft – Leveraged previously compromised credential material from NTDS.dit to facilitate access: [‘Some credentials—those previously compromised via NTDS.dit theft (T0859)—proved fruitful.’]
[T0831] Manipulate HVAC and [T0847] Disable or Alter Physical Process Components and [T0880] Disrupt Energy/Water Controls – Potential OT disruption options identified for impacted sectors: [‘it could have manipulated heating, ventilation, and air conditioning (HVAC) systems in server rooms (T0831, T0847); disabled critical energy and water controls (T0880); and accessed camera surveillance systems at OT facilities.’]

Indicators of Compromise

[File names] deployed clients and binaries – SMSvcService.exe, Brightmetricagent.exe used as FRP client filenames for reverse proxies.
[Malware/tools] backdoors and payloads – ChargeWeapon, FourteenHi, MeatBall, and Cobalt Strike beacons used for persistence and exfiltration.
[Files/paths] staged artifacts – comsvcs.dll in a nonstandard folder, drops under c:programdata (example of ingress tool placement).
[Servers/C2 infrastructure] hosting and cloud services – compromised Cobra DocGuard server used to host second-stage binaries; Yandex Cloud used for C2.
[Device types] compromised network appliances – end-of-life Cisco and NETGEAR routers used in Volt Typhoon’s botnet and multi-hop proxies.

Chinese-linked groups used a consistent technical playbook against OT-relevant targets: exploit exposed network appliances or public-facing applications to gain initial access (e.g., Fortinet, Citrix, Cisco, NETGEAR), then transfer tools and payloads onto hosts (T1105) including outdated admin DLLs and staged binaries. They relied on script interpreters and remote execution—PowerShell for reverse proxies and downloader execution (T1059.001), and WMI/WMIC to run forensic/credential-theft commands (T1047) such as ntdsutil to copy NTDS.dit and the SYSTEM hive.

For lateral movement and persistence they employed interactive RDP sessions (T1021.001), multiple backdoors (ChargeWeapon, FourteenHi, MeatBall) and masquerading techniques to evade detection (T1036.005), combined with payload obfuscation/decryption (RC4/XOR, T1140) and extensive reconnaissance to identify high-value OT/IT administrators (T1592). Volt Typhoon also used a router-based botnet and multi-hop proxy infrastructure to hide C2 and pre-position for potential OT disruption, including attempts to access OT devices with default vendor credentials (T0812) and reuse of credentials obtained from NTDS.dit theft (T0859).

Defensive actions with immediate operational impact include: enforce least privilege and disable remote interactive logon for service accounts; require MFA and use jump boxes for any required RDP access; segment public-facing and OT networks and deploy WAFs; maintain aggressive patching and emergency zero-day plans for network appliances; implement application control and path/hash-based allowlists for frequently abused binaries; enable Windows Defender ASR rules (block obfuscated scripts; block process creations from PSExec/WMI); use Sysmon Event ID 3 or EDR to monitor network-creating processes; and enable WMI auditing where feasible to detect suspicious remote executions and credential access.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print