Introduction

One event in the rapidly evolving digital landscape has underscored the rising complexity and threat posed by cyberattacks – the Volt Typhoon. This Chinese-based Advanced Persistent Threat (APT) targeted critical infrastructure within the United States, utilizing Living-off-the-Land (LotL) techniques and exploiting undisclosed vulnerabilities in Fortinet systems. As we delve into the inner workings of this cyberattack, we aim to explore its progression, the mechanisms behind its detection, and the valuable insights it offers.

Understanding the Volt Typhoon Cyberattack

The Volt Typhoon cyberattack was not just another infiltration; it was a strategically planned campaign that targeted the foundational sectors of the U.S., including power grids, communication systems, and transportation networks. Using LotL techniques, the attackers exploited legitimate tools and processes already in the system, making detecting malicious activities challenging. Using these techniques, Chinese-based threat actors were able to maintain undetected persistence since mid-2023.

LotL techniques are a strategy where cybercriminals leverage built-in tools and software in a system to carry out their activities. These strategies are stealthy, as they don't introduce foreign malware that could be easily detected. Instead, they turn the system's resources against itself. In the Volt Typhoon attack, the threat actors utilized these techniques to the fullest, exploiting existing system features to facilitate the attack.

Unraveling the Volt Typhoon Attack

Chinese-based threat actors were able to gain a foothold by utilizing, unknown at the time, a Fortinet VPN Remote Code Execution vulnerability (CVE-2023-27997). Volt Typhoon began dumping credential hashes through LSASS and utilized a Windows executable to move the hashes to a remote location where they could be cracked.

To maintain persistence and establish Command and Control, Volt Typhoon utilized valid credentials to access the network. However, in a few instances, they created proxies on the compromised systems using built-in Windows commands as well as custom versions of Impacket and Fast Reverse Proxy.

A crucial part of this infiltration involved the misuse of PowerShell scripts. PowerShell, an integral part of the Windows operating system, offers a robust scripting language that can perform a wide array of powerful commands. However, these very capabilities became a threat when wielded maliciously. The threat actors weaponized PowerShell, initiating harmful scripts, downloading additional payloads, and later navigating within the network while maintaining an illusion of regular user behavior.

The attackers also showcased their cunning by manipulating network and system management tools to maintain a persistent presence within the network and execute multiple attack stages. They exploited tools such as Microsoft's Scheduled Tasks and Windows Management Instrumentation (WMI), ensuring the success of their campaign while eluding detection.

Microsoft initially spotted signs of the Volt Typhoon attack during a routine traffic analysis. Despite the attack's stealth and sophistication, anomalies in network traffic, an unusual surge in PowerShell activity, and irregular use of administrative tools like Scheduled Tasks and WMI were noticeable. These subtle yet significant deviations from standard operations triggered the initiation of a comprehensive digital forensics and incident response (DFIR) investigation.

Conclusion

The Volt Typhoon cyberattack presents an invaluable learning opportunity for enhancing cybersecurity defenses. It underlines the potential for LotL techniques and system vulnerabilities to be weaponized for malicious ends. LotL techniques underscore the importance of vigilant network monitoring, swift detection of anomalies, and robust incident response mechanisms and processes. By studying and understanding such cyberattacks, we can equip ourselves better to safeguard our digital landscape against the looming cybersecurity challenges of the future.

References

https://www.microsoft.com/en-u...

By Joshua Ivy, Information Security Analyst

Joshua is a new addition to the TraceSecurity team, bringing with him a wealth of experience from 20 years of service in the US Navy, with his last two years spent as an ISSM in Virginia Beach. He currently holds multiple industry certifications, most notably, CompTIA Security+, Pentest+, CySA, and is looking forward to graduating with a Bachelor's in Cybersecurity Technologies by the end of 2024. At TraceSecurity, he primarily focuses on penetration tests, risk assessments, and IT security audits.