Volt Typhoon

Volt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group, also known by aliases such as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus. The group has been active since at least mid-2021 and is primarily focused on targeting U.S. critical infrastructure sectors, including communications, energy, transportation, and water systems. Volt Typhoon’s operations are characterized by stealth, persistence, and a focus on pre-positioning within networks for potential disruptive or destructive attacks, especially in the event of geopolitical tensions or military conflict involving the United States.

Key Characteristics

• Affiliation: Believed to operate on behalf of the People’s Republic of China (PRC), likely linked to the People’s Liberation Army.
• Primary Objectives: Pre-positioning in IT networks to enable lateral movement to operational technology (OT) assets, with the goal of disrupting or destroying critical services during crises.
• Target Sectors: Communications, energy, transportation, water and wastewater, and other critical infrastructure in the U.S. and its territories (notably Guam), as well as allied countries.
• Tactics: Extensive use of “living off the land” (LOTL) techniques, leveraging legitimate administrative tools and valid credentials for persistence and lateral movement, rather than deploying traditional malware. They frequently exploit vulnerabilities in internet-facing appliances (Fortinet, Cisco, NETGEAR, etc.) and use compromised SOHO devices as proxies to hide their activity.

Techniques and Procedures

• Initial Access: Exploitation of vulnerabilities in public-facing network appliances (e.g., Fortinet, Cisco, NETGEAR, Ivanti, Citrix).
• Persistence: Use of valid credentials, VPN sessions, and minimal malware to blend in with legitimate traffic.
• Lateral Movement: RDP, PSExec, and use of stolen credentials to access domain controllers and OT systems.
• Data Collection: Focus on gathering information that would facilitate follow-on actions with physical impacts, such as SCADA diagrams and OT network details.
• Command and Control: Proxying C2 traffic through compromised SOHO routers and VPS infrastructure, often using self-signed certificates and encrypted channels.

Indicators of Compromise (IP Addresses)

Volt Typhoon’s infrastructure is highly dynamic, but recent public threat intelligence reports have attributed the following IP addresses to their campaigns (replace “.” with “.” for use):