Threat Research

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA

CISA

U.S. agencies warn that PRC-aligned Volt Typhoon actors have been pre-positioning long‑term access in U.S. critical-infrastructure IT environments—using living-off-the-land techniques, valid credentials, and covert proxying to enable lateral movement toward OT systems. The advisory details exploitation of internet-facing appliances (e.g., Fortinet CVE-2022-42475), NTDS.dit credential theft via VSS/ntdsutil, and FRP-based C2 with observable file artifacts. #VoltTyphoon #NTDS.dit

Keypoints

  • Volt Typhoon (aka Vanguard Panda/BRONZE SILHOUETTE/UNC3236) targets IT networks of Communications, Energy, Transportation, and Water sectors to pre-position for OT disruption.
  • Initial access frequently comes from exploiting public-facing networking appliances (Fortinet, Ivanti, NETGEAR, Citrix, Cisco), including CVE-2022-42475 on FortiGate devices.
  • Actors favor living-off-the-land (LOTL) techniques and valid accounts for stealthy persistence, often remaining undetected for years.
  • Main credential-stealing method: create volume shadow copies (vssadmin), use ntdsutil/WMIC to copy NTDS.dit + SYSTEM hive, then exfiltrate for offline cracking.
  • Lateral movement primarily via RDP with compromised admin credentials; actors also use PSExec, PuTTY profile discovery, and may target cloud accounts.
  • Command-and-control uses FRP reverse-proxy clients (BrightmetricAgent.exe, SMSvcService.exe), multi‑hop proxies, and compromised SOHO routers (KV Botnet) or PRTG portproxy modifications.
  • Key detection signals include ESENT Application Log event IDs (216, 325, 326, 327), RDP session logs (Event IDs 21–25), and cleared/modified Windows event logs (Event ID 1102).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploited vulnerabilities in network appliances (e.g., “likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall”).
  • [T1133] External Remote Services – Established VPN sessions into victim environments for follow-on activity: “…then connects to the victim’s network via VPN for follow-on activities.”
  • [T1078] Valid Accounts – Maintains persistence using legitimate credentials: “Volt Typhoon primarily relies on valid credentials for persistence.”
  • [T1003.003] OS Credential Dumping: NTDS – Extracted Active Directory database (NTDS.dit) from domain controllers via shadow copies: “Volt Typhoon achieves full domain compromise by extracting the Active Directory database (NTDS.dit) from the DC.”
  • [T1006] Direct Volume Access – Used vssadmin to create volume shadow copies to access NTDS.dit: “Volt Typhoon frequently employs the Volume Shadow Copy Service (VSS) using command-line utilities such as vssadmin to access NTDS.dit.”
  • [T1110.002] Brute Force: Password Cracking – Exfiltrated NTDS.dit and SYSTEM hive for offline cracking: “Exfiltrate NTDS.dit and SYSTEM registry hive to crack passwords offline.”
  • [T1059 / T1059.001] Command and Scripting Interpreter (PowerShell) – Performed hands-on-keyboard LOTL actions and executed FRP clients via PowerShell: “these clients, when executed via PowerShell, open reverse proxies…”
  • [T1003.001] OS Credential Dumping: LSASS Memory – Used comsvcs.dll with MiniDump to dump LSASS memory: “used this DLL with MiniDump and the process ID of the Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory.”
  • [T1090 / T1090.003] Proxy: Multi-hop Proxy – Routed C2 through multi-hop proxies and compromised SOHO routers (KV Botnet): “Historically, Volt Typhoon actors use multi-hop proxies for command and control (C2) infrastructure.”
  • [T1573] Encrypted Channel – Set up FRP clients on victim infrastructure to create covert encrypted C2 channels: “setup FRP clients on a victim’s corporate infrastructure to establish covert communications channels for command and control.”
  • [T1070.001] Indicator Removal: Clear Windows Event Logs – Cleared logs and artifacts to hide activity: “selectively clearing Windows Event Logs… to remove evidence of their intrusion activity.”
  • [T1047] Windows Management Instrumentation – Used WMIC and WMI for execution and staging (ntdsutil/ntds copying): “Use Windows Management Instrumentation Console (WMIC) commands to execute ntdsutil… to copy NTDS.dit and SYSTEM registry hive.”

Indicators of Compromise

  • [File names] FRP / C2 clients – BrightmetricAgent.exe (SHA256 edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70), SMSvcService.exe (SHA256 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1)
  • [AD artifacts & files] Credential theft targets – NTDS.dit, SYSTEM registry hive (staged in temp paths like C:WindowsTemp and archived as History.zip/ronf.exe-produced archives)
  • [Vulnerability / appliance] Exploited devices – CVE-2022-42475 on FortiGate (example of initial access via unpatched network perimeter appliance)
  • [Malware / botnet] Compromised infrastructure – KV Botnet–infected SOHO routers used as proxies and VPS hosts for multi‑hop C2
  • [PowerShell / scripts] Observed commands and scripts – PowerShell Get-EventLog … Out-File ‘C:userspublicdocumentsuser.dat’, and logins.ps1 script that queries Event ID 4624 (used for logon discovery)

Volt Typhoon’s technical procedure centers on stealthy, LOTL post‑compromise activity: they perform extensive reconnaissance (web searches, Shodan/Censys/FOFA, and targeting IT staff emails), then exploit internet-facing appliances to gain access and establish VPN sessions for discreet entry. After initial access, operators seek administrative credentials—either from insecurely stored credentials on edge appliances or by extracting NTDS.dit via VSS/ntdsutil and copying the SYSTEM hive to decrypt hashes—then exfiltrate those files for offline cracking to obtain domain-wide credentials.

Following credential acquisition, the actors move laterally primarily through RDP and tools like PSExec, enumerate PuTTY sessions and browser data to reach OT-adjacent systems (vCenter, OMS), and stage sensitive OT/SCADA documentation for exfiltration over SMB. They avoid persistent malware on endpoints, preferring legit admin binaries, PowerShell, WMIC, and memory-dumping techniques (MiniDump/comsvcs.dll, Magnet RAM Capture) while selectively clearing logs and obfuscating FRP clients with UPX to reduce detection.

Command-and-control leverages FRP reverse proxies (BrightmetricAgent.exe, SMSvcService.exe), multi-hop proxy chains (compromised SOHO routers / VPS), and internal portproxy modifications (netsh) on intermediary servers like PRTG. Detection and response should prioritize ESENT event IDs (216/325/326/327), RDP and Terminal Services logs, file and temp-directory monitoring for NTDS staging, PowerShell console histories, and network proxy/profile anomalies (use Zeek + gait telemetry), while assuming full domain compromise if NTDS.dit theft is detected.

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint