G1017 Volt Typhoon
Volt Typhoon is a People’s Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon’s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.1342
| Item | Value |
|---|---|
| ID | G1017 |
| Associated Names | BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, UNC3236, Voltzite, Insidious Taurus |
| Version | 2.0 |
| Created | 27 July 2023 |
| Last Modified | 30 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| BRONZE SILHOUETTE | 21 |
| Vanguard Panda | 1 |
| DEV-0391 | 1 |
| UNC3236 | 1 |
| Voltzite | 1 |
| Insidious Taurus | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Volt Typhoon has executed net user and quser to enumerate local account information.1 |
| enterprise | T1087.002 | Domain Account | Volt Typhoon has run net group /dom and net group "Domain Admins" /dom in compromised environments for account discovery.42 |
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.003 | Virtual Private Server | KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware.6 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.5 |
| enterprise | T1010 | Application Window Discovery | |
| Volt Typhoon has collected window title information from compromised systems.1 | |||
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Volt Typhoon has archived the ntds.dit database as a multi-volume password-protected archive with 7-Zip.21 |
| enterprise | T1217 | Browser Information Discovery | Volt Typhoon has targeted the browsing history of network administrators.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Volt Typhoon has used PowerShell including for remote system discovery.341 |
| enterprise | T1059.003 | Windows Command Shell | Volt Typhoon has used the Windows command line to perform hands-on-keyboard activities in targeted environments including for discovery.3421 |
| enterprise | T1059.004 | Unix Shell | Volt Typhoon has used Brightmetricagent.exe which contains a command- line interface (CLI) library that can leverage command shells including Z Shell (zsh).1 |
| enterprise | T1584 | Compromise Infrastructure | - |
| enterprise | T1584.003 | Virtual Private Server | Volt Typhoon has compromised Virtual Private Servers (VPS) to proxy C2 traffic.1 |
| enterprise | T1584.004 | Server | Volt Typhoon has used compromised Paessler Router Traffic Grapher (PRTG) servers from other organizations for C2.21 |
| enterprise | T1584.005 | Botnet | |
| Volt Typhoon Volt Typhoon has used compromised Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to support operations.1 | |||
| enterprise | T1584.008 | Network Devices | Volt Typhoon has compromised small office and home office (SOHO) network edge devices, many of which were located in the same geographic area as the victim, to proxy network traffic.34 |
| enterprise | T1555 | Credentials from Password Stores | Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY.4 |
| enterprise | T1555.003 | Credentials from Web Browsers | |
| enterprise | T1005 | Data from Local System | Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used Wevtutil to extract event log information.421 |
| enterprise | T1074 | Data Staged | Volt Typhoon has staged collected data in password-protected archives.3 |
| enterprise | T1074.001 | Local Data Staging | Volt Typhoon has saved stolen files including the ntds.dit database and the SYSTEM and SECURITY Registry hives locally to the C:\Windows\Temp\ directory.42 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Volt Typhoon has used Base64-encoded data to transfer payloads and commands, including deobfuscation via certutil.2 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.5 |
| enterprise | T1587.004 | Exploits | |
| Volt Typhoon has exploited zero-day vulnerabilities for initial access.1 | |||
| enterprise | T1006 | Direct Volume Access | |
Volt Typhoon has executed the Windows-native vssadmin command to create volume shadow copies.1 |
|||
| enterprise | T1573 | Encrypted Channel | KV Botnet Activity command and control activity includes transmission of an RSA public key in communication from the server, but this is followed by subsequent negotiation stages that represent a form of handshake similar to TLS negotiation.6 |
| enterprise | T1573.001 | Symmetric Cryptography | Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.2 |
| enterprise | T1573.002 | Asymmetric Cryptography | Versa Director Zero Day Exploitation used HTTPS for command and control of compromised Versa Director servers.5 |
| enterprise | T1546 | Event Triggered Execution | KV Botnet Activity involves managing events on victim systems via libevent to execute a callback function when any running process contains the following references in their path without also having a reference to bioset: busybox, wget, curl, tftp, telnetd, or lua. If the bioset string is not found, the related process is terminated.6 |
| enterprise | T1190 | Exploit Public-Facing Application | Volt Typhoon has gained initial access through exploitation of multiple vulnerabilities in internet-facing software and appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.21 |
| enterprise | T1068 | Exploitation for Privilege Escalation | |
| Volt Typhoon has gained initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.1 | |||
| enterprise | T1133 | External Remote Services | Volt Typhoon has used VPNs to connect to victim environments and enable post-exploitation actions.1 |
| enterprise | T1083 | File and Directory Discovery | Volt Typhoon has enumerated directories containing vulnerability testing and cyber related content and facilities data such as construction drawings.1 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.6 |
| enterprise | T1592 | Gather Victim Host Information | Volt Typhoon has conducted pre-compromise reconnaissance for victim host information.1 |
| enterprise | T1589 | Gather Victim Identity Information | Volt Typhoon has gathered victim identify information during pre-compromise reconnaissance. 1 |
| enterprise | T1589.002 | Email Addresses | Volt Typhoon has targeted the personal emails of key network and IT staff at victim organizations.1 |
| enterprise | T1590 | Gather Victim Network Information | Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization’s network.1 |
| enterprise | T1590.004 | Network Topology | |
| Volt Typhoon has conducted extensive reconnaissance of victim networks including identifying network topologies.1 | |||
| enterprise | T1590.006 | Network Security Appliances | Volt Typhoon has identified target network security measures as part of pre-compromise reconnaissance.1 |
| enterprise | T1591 | Gather Victim Org Information | Volt Typhoon has conducted extensive reconnaissance pre-compromise to gain information about the targeted organization.1 |
| enterprise | T1591.004 | Identify Roles | Volt Typhoon has identified key network and IT staff members pre-compromise at targeted organizations.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.013 | Bind Mounts | KV Botnet Activity leveraged a bind mount to bind itself to the /proc/ file path before deleting its files from the /tmp/ directory.6 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.6 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | |
| Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of intrusion activity.1 | |||
| enterprise | T1070.004 | File Deletion | Volt Typhoon has run rd /S to delete their working directories and deleted systeminfo.dat from C:\Users\Public\Documentsfiles.21 |
| enterprise | T1070.007 | Clear Network Connection History and Configurations | Volt Typhoon has inspected server logs to remove their IPs.2 |
| enterprise | T1105 | Ingress Tool Transfer | |
| Volt Typhoon has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.1 | |||
| enterprise | T1056 | Input Capture | Versa Director Zero Day Exploitation intercepted and harvested credentials from user logins to compromised devices.5 |
| enterprise | T1056.001 | Keylogging | Volt Typhoon has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.1 |
| enterprise | T1570 | Lateral Tool Transfer | Volt Typhoon has copied web shells between servers in targeted environments.2 |
| enterprise | T1680 | Local Storage Discovery | Volt Typhoon has discovered file system types, drive names, size, and free space on compromised systems.3421 |
| enterprise | T1654 | Log Enumeration | Volt Typhoon has used wevtutil.exe and the PowerShell command Get-EventLog security to enumerate Windows logs to search for successful logons.41 |
| enterprise | T1036 | Masquerading | KV Botnet Activity involves changing process filename to pr_set_mm_exe_file and process name to pr_set_name during later infection stages.6 |
| enterprise | T1036.004 | Masquerade Task or Service | KV Botnet Activity installation steps include first identifying, then stopping, any process containing [kworker\/0:1], then renaming its initial installation stage to this process name.6 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Volt Typhoon has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.421 |
| enterprise | T1036.008 | Masquerade File Type | Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.2 |
| enterprise | T1112 | Modify Registry | |
Volt Typhoon has used netsh to create a PortProxy Registry modification on a compromised server running the Paessler Router Traffic Grapher (PRTG).1 |
|||
| enterprise | T1046 | Network Service Discovery | Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for network service discovery.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.5 |
| enterprise | T1571 | Non-Standard Port | KV Botnet Activity generates a random port number greater than 30,000 to serve as the listener for subsequent command and control activity.6 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | |
| Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.1 | |||
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Volt Typhoon has used legitimate network and forensic tools and customized versions of open-source tools for C2.31 |
| enterprise | T1588.006 | Vulnerabilities | Volt Typhoon has used publicly available exploit code for initial access.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Volt Typhoon has attempted to access hashed credentials from the LSASS process memory space.31 |
| enterprise | T1003.003 | NTDS | Volt Typhoon has used ntds.util to create domain controller installation media containing usernames and password hashes.3421 |
| enterprise | T1120 | Peripheral Device Discovery | Volt Typhoon has obtained victim’s screen dimension and display device information.1 |
| enterprise | T1069 | Permission Groups Discovery | Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for group and user discovery.1 |
| enterprise | T1069.001 | Local Groups | |
Volt Typhoon has run net localgroup administrators in compromised environments to enumerate accounts.4 |
|||
| enterprise | T1069.002 | Domain Groups | Volt Typhoon has run net group in compromised environments to discover domain groups.2 |
| enterprise | T1057 | Process Discovery | Volt Typhoon has enumerated running processes on targeted systems including through the use of Tasklist.321 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.009 | Proc Memory | KV Botnet Activity final payload installation includes mounting and binding to the \/proc\/ filepath on the victim system to enable subsequent operation in memory while also removing on-disk artifacts.6 |
| enterprise | T1090 | Proxy | Volt Typhoon has used compromised devices and customized versions of open source tools such as FRP (Fast Reverse Proxy), Earthworm, and Impacket to proxy network traffic.341 |
| enterprise | T1090.001 | Internal Proxy | Volt Typhoon has used the built-in netsh port proxy command to create proxies on compromised systems to facilitate access.31 |
| enterprise | T1090.003 | Multi-hop Proxy | Volt Typhoon has used multi-hop proxies for command-and-control infrastructure.1 |
| enterprise | T1012 | Query Registry | Volt Typhoon has queried the Registry on compromised systems, reg query hklm\software\, for information on installed software including PuTTY.41 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Volt Typhoon has moved laterally to the Domain Controller via RDP using a compromised account with domain administrator privileges.1 |
| enterprise | T1018 | Remote System Discovery | Volt Typhoon has used multiple methods, including Ping, to enumerate systems on compromised networks.32 |
| enterprise | T1113 | Screen Capture | Volt Typhoon has obtained a screenshot of the victim’s system using the gdi32.dll and gdiplus.dll libraries.1 |
| enterprise | T1596 | Search Open Technical Databases | - |
| enterprise | T1596.005 | Scan Databases | Volt Typhoon has used FOFA, Shodan, and Censys to search for exposed victim infrastructure.1 |
| enterprise | T1593 | Search Open Websites/Domains | Volt Typhoon has conducted pre-compromise web searches for victim information.1 |
| enterprise | T1594 | Search Victim-Owned Websites | Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.1 |
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | Volt Typhoon has used webshells, including ones named AuditReport.jspx and iisstart.aspx, in compromised environments.2 |
| enterprise | T1518 | Software Discovery | Volt Typhoon has queried the Registry on compromised systems for information on installed software.41 |
| enterprise | T1518.001 | Security Software Discovery | KV Botnet Activity involved removal of security tools, as well as other identified IOT malware, from compromised devices.6 |
| enterprise | T1218 | System Binary Proxy Execution | |
| Volt Typhoon has used native tools and processes including living off the land binaries or “LOLBins” to maintain and expand access to the victim networks.1 | |||
| enterprise | T1082 | System Information Discovery | KV Botnet Activity includes use of native system tools, such as uname, to obtain information about victim device architecture, as well as gathering other system information such as the victim’s hosts file and CPU utilization.6 |
| enterprise | T1614 | System Location Discovery | Volt Typhoon has obtained the victim’s system current location.1 |
| enterprise | T1016 | System Network Configuration Discovery | Volt Typhoon has executed multiple commands to enumerate network topology and settings including ipconfig, netsh interface firewall show all, and netsh interface portproxy show all.4 |
| enterprise | T1016.001 | Internet Connection Discovery | |
| Volt Typhoon has employed Ping to check network connectivity.1 | |||
| enterprise | T1049 | System Network Connections Discovery | |
Volt Typhoon has used netstat -ano on compromised hosts to enumerate network connections.42 |
|||
| enterprise | T1033 | System Owner/User Discovery | |
Volt Typhoon has used public tools and executed the PowerShell command Get-EventLog security -instanceid 4624 to identify associated user and computer account names.421 |
|||
| enterprise | T1007 | System Service Discovery | Volt Typhoon has used net start to list running services.1 |
| enterprise | T1124 | System Time Discovery | |
| Volt Typhoon has obtained the victim’s system timezone.1 | |||
| enterprise | T1552 | Unsecured Credentials | |
| Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.1 | |||
| enterprise | T1552.004 | Private Keys | |
| Volt Typhoon has accessed a Local State file that contains the AES key used to encrypt passwords stored in the Chrome browser.1 | |||
| enterprise | T1078 | Valid Accounts | |
| Volt Typhoon relies primarily on valid credentials for persistence.1 | |||
| enterprise | T1078.002 | Domain Accounts | Volt Typhoon has used compromised domain accounts to authenticate to devices on compromised networks.321 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.3 |
| enterprise | T1047 | Windows Management Instrumentation | Volt Typhoon has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.3421 |
Software
References
-
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024. ↩↩↩↩↩↩
-
Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩
-
US Department of Justice. (2024, January 31). U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure. Retrieved June 10, 2024. ↩