ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Volt Typhoon

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Volt Typhoon

NamesVolt Typhoon (Microsoft)
Vanguard Panda (CrowdStrike)
Bronze Silhouette (SecureWorks)
VOLTZITE (Dragos)
CountryChina China
SponsorState-sponsored
MotivationInformation theft and espionage
First seen2020
Description(Microsoft) Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible. Microsoft is choosing to highlight this Volt Typhoon activity at this time because of our significant concern around the potential for further impact to our customers. Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness and further investigations and protections across the security ecosystem.
ObservedSectors: Construction, Education, Government, Industrial, IT, Maritime and Shipbuilding, Manufacturing, Telecommunications, Transportation, Utilities.
Countries: Australia, India, UK, USA.
Tools usedFRP, Impacket, Living off the Land.
Operations performedJun 2021Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations
<https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations>
Feb 2022Routers Roasting on an Open Firewall: the KV-botnet Investigation
<https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/>
Jun 2023Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign
<https://www.fortinet.com/blog/psirt-blogs/analysis-of-cve-2023-27997-and-clarifications-on-volt-typhoon-campaign>
Jun 2023Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft
<https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/>
Jul 2023China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure
<https://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure>
Dec 2023Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days
<https://resources.securityscorecard.com/research/volt-typhoon>
Dec 2023KV-Botnet: Don’t call it a Comeback
<https://blog.lumen.com/kv-botnet-dont-call-it-a-comeback/>
Jun 2024Taking the Crossroads: The Versa Director Zero-Day Exploitation
<https://blog.lumen.com/taking-the-crossroads-the-versa-director-zero-day-exploitation/>
Counter operationsDec 2023U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure
<https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical>
Information<https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/>
<https://www.securityweek.com/mandiant-intelligence-chief-raises-alarm-over-chinas-volt-typhoon-hackers-in-us-critical-infrastructure/>
<https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a>
<https://hub.dragos.com/hubfs/116-Datasheets/Dragos_IntelBrief_VOLTZITE_FINAL.pdf>
<https://blog.barracuda.com/2024/03/14/volt-typhoon-future-war>
<https://www.cisa.gov/sites/default/files/2024-03/Fact-Sheet-PRC-State-Sponsored-Cyber-Activity-Actions-for-Critical-Infrastructure-Leaders-508c.pdf>
<https://www.reuters.com/technology/cybersecurity/fbi-says-chinese-hackers-preparing-attack-us-infrastructure-2024-04-18/>
<https://therecord.media/china-accused-misusing-western-cybersecurity-research-volt-typhoon>
<https://therecord.media/china-cyber-agency-claims-us-interference-volt-typhoon-research>
<https://thehackernews.com/2024/10/china-accuses-us-of-fabricating-volt.html>

Last change to this card: 24 October 2024

Download this actor card in PDF or JSON format

Previous: Volatile Cedar
Next: Wassonite

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]