Threat Research

Threat Hunting Case Study: Looking for Volt Typhoon

Securonix

Keypoints

  • Volt Typhoon is a suspected Chinese state-sponsored threat actor group infiltrating firewalls, routers, and VPNs in critical infrastructure organizations worldwide.
  • The group targeted vendors including Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco to gain initial access.
  • It maintained an undetected presence for up to five years through strong operational security and the use of a botnet (KV Botnet) of compromised routers as proxies.
  • The compromised devices, often older Cisco and NETGEAR routers, helped Volt Typhoon stay under the radar by leveraging local IP addresses.
  • Living-off-the-land techniques and legitimate network/admin tools were used to blend in with normal activity and evade security alerts.
  • Threat hunting and MITRE ATT&CK mapping (including references to WMIC, PowerShell, and Unix shell) are emphasized to identify Volt Typhoon activity.
  • There have been remediation efforts (DoJ operation on Jan 31, 2024) and updated advisories (Feb 7, 2024) reporting new TTPs and mitigations.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Volt Typhoon exploited vulnerabilities in commonly used network applications from vendors including Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix and Cisco. Quote: “exploited vulnerabilities in commonly used network applications from vendors including Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix and Cisco.”
  • [T1090] Proxy – The group used a botnet of compromised routers as proxies for intrusions, with local IP addresses helping stay under the radar. Quote: “The group… was composed of compromised small and home office routers… used as proxies for intrusions.”
  • [T1059] Command and Scripting Interpreter – Volt Typhoon’s activities include PowerShell commands and Unix shell usage. Quote: “Volt Typhoon commands seen in PowerShell’s console history” and “the same technique with the Unix shell.”
  • [T1047] Windows Management Instrumentation – WMIC was used as part of discovery and enumeration. Quote: “WMIC Windows Internal Discovery and Enumeration” and mention of missing the intended command: “they tried one time to use the “wmic” command but misspelled it to “wminc.””
  • [T1592] Gather Victim Host Information – The advisory notes this technique as an example: “T1592, which is Gather Victim Host Information.”

Indicators of Compromise

  • [File Name] brightmetricagent.exe – The article cites this filename as an IoC reference. Example: “brightmetricagent.exe.”
  • [Hash] brightmetricagent.exe – MD5 or SHA256 hashes of brightmetricagent.exe are referenced as quick search indicators. Example: MD5/SHA256 hashes of the file (as noted in the excerpt).

Read more: https://intel471.com/blog/threat-hunting-case-study-looking-for-volt-typhoon

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint