{ "id": "bfc70c9f-a4d9-4cbe-8747-aaa9746b54c0", "created_at": "2026-04-06T00:11:43.979781Z", "updated_at": "2026-04-10T03:34:44.454529Z", "deleted_at": null, "sha1_hash": "6c07fcc8dca923a0b97859c232caa47c7b7a7493", "title": "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 655249, "plain_text": "PRC State-Sponsored Actors Compromise and Maintain Persistent\r\nAccess to U.S. Critical Infrastructure | CISA\r\nPublished: 2024-02-07 · Archived: 2026-04-02 10:42:18 UTC\r\n1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be\r\nfrequently exploited by Volt Typhoon.\r\n2. Implement phishing-resistant MFA.\r\n3. Ensure logging is turned on for application, access, and security logs and store logs in a central system.\r\n4. Plan “end of life” for technology beyond manufacturer’s supported lifecycle.\r\nSUMMARY\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of\r\nInvestigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position\r\nthemselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a\r\nmajor crisis or conflict with the United States.\r\nCISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about\r\nthis assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical\r\ninfrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as\r\nVanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus):\r\nU.S. Department of Energy (DOE)\r\nU.S. Environmental Protection Agency (EPA)\r\nU.S. Transportation Security Administration (TSA)\r\nAustralian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)\r\nCanadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE)\r\nUnited Kingdom National Cyber Security Centre (NCSC-UK)\r\nNew Zealand National Cyber Security Centre (NCSC-NZ)\r\nThe U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical\r\ninfrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater\r\nSystems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s\r\nchoice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering\r\noperations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning\r\nthemselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are\r\nconcerned about the potential for these actors to use their network access for disruptive effects in the event of potential\r\ngeopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from\r\nPRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted,\r\nCanada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and\r\nNew Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.\r\nAs the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt\r\nTyphoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and\r\nleverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S.\r\nauthoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some\r\nvictim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to\r\nlearn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s\r\nenvironment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over\r\ntime, even after initial compromise.\r\nThe authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for\r\nsimilar malicious activity using the guidance herein provided, along with the recommendations found in joint guide\r\nIdentifying and Mitigating Living Off the Land Techniques. These mitigations are primarily intended for IT and OT\r\nadministrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an\r\nincident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 1 of 26\n\nIf activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the\r\nincident response recommendations in this advisory and report the incident to the relevant agency (see Contact Information\r\nsection).\r\nFor additional information, see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land\r\nto Evade Detection and U.S. Department of Justice (DOJ) press release U.S. Government Disrupts Botnet People’s Republic\r\nof China Used to Conceal Hacking of Critical Infrastructure. For more information on PRC state-sponsored malicious cyber\r\nactivity, see CISA’s China Cyber Threat Overview and Advisories webpage.\r\nDownload the PDF version of this report:\r\nRead the accompanying Malware Analysis Report: MAR-10448362-1.v1 Volt Typhoon.\r\nFor a downloadable copy of indicators of compromise (IOCs), see:\r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK for Enterprise framework, version 14. See Appendix C: MITRE ATT\u0026CK\r\nTactics and Techniques section for tables of the Volt Typhoon cyber threat actors’ activity mapped to MITRE ATT\u0026CK®\r\ntactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA\r\nand MITRE ATT\u0026CK’s Best Practices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nOverview of Activity\r\nIn May 2023, the authoring agencies—working with industry partners—disclosed information about activity attributed to\r\nVolt Typhoon (see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade\r\nDetection). Since then, CISA, NSA, and FBI have determined that this activity is part of a broader campaign in which Volt\r\nTyphoon actors have successfully infiltrated the networks of critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam.\r\nThe U.S. authoring agencies have primarily observed compromises linked to Volt Typhoon in Communications, Energy,\r\nTransportation Systems, and Water and Wastewater Systems sector organizations’ IT networks. Some victims are smaller\r\norganizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic\r\nlocations.\r\nVolt Typhoon actors tailor their TTPs to the victim environment; however, the U.S. authoring agencies have observed the\r\nactors typically following the same pattern of behavior across identified intrusions. Their choice of targets and pattern of\r\nbehavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring\r\nagencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the\r\ndisruption of OT functions across multiple critical infrastructure sectors (see Figure 1).\r\n1. Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s\r\nnetwork architecture and operational protocols. This reconnaissance includes identifying network topologies,\r\nsecurity measures, typical user behaviors, and key network and IT staff. The intelligence gathered by Volt Typhoon\r\nactors is likely leveraged to enhance their operational security. For example, in some instances, Volt Typhoon actors\r\nmay have abstained from using compromised credentials outside of normal working hours to avoid triggering\r\nsecurity alerts on abnormal account activities.\r\n2. Volt Typhoon typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in\r\npublic-facing network appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connects to\r\nthe victim’s network via VPN for follow-on activities.\r\n3. Volt Typhoon aims to obtain administrator credentials within the network, often by exploiting privilege\r\nescalation vulnerabilities in the operating system or network services. In some cases, Volt Typhoon has obtained\r\ncredentials insecurely stored on a public-facing network appliance.\r\n4. Volt Typhoon uses valid administrator credentials to move laterally to the domain controller (DC) and other\r\ndevices via remote access services such as Remote Desktop Protocol (RDP).\r\n5. Volt Typhoon conducts discovery in the victim’s network, leveraging LOTL binaries for stealth. A key tactic\r\nincludes using PowerShell to perform targeted queries on Windows event logs, focusing on specific users and\r\nperiods. These queries facilitate the discreet extraction of security event logs into .dat files, allowing Volt Typhoon\r\nactors to gather critical information while minimizing detection. This strategy, blending in-depth pre-compromise\r\nreconnaissance with meticulous post-exploitation intelligence collection, underscores their sophisticated and strategic\r\napproach to cyber operations.\r\n6. Volt Typhoon achieves full domain compromise by extracting the Active Directory database ( NTDS.dit ) from\r\nthe DC. Volt Typhoon frequently employs the Volume Shadow Copy Service (VSS) using command-line utilities\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 2 of 26\n\nsuch as vssadmin to access NTDS.dit . The NTDS.dit file is a centralized repository that contains critical Active\r\nDirectory data, including user accounts, passwords (in hashed form), and other sensitive data, which can be leveraged\r\nfor further exploitation. This method entails the creation of a shadow copy—a point-in-time snapshot—of the volume\r\nhosting the NTDS.dit file. By leveraging this snapshot, Volt Typhoon actors effectively bypass the file locking\r\nmechanisms inherent in a live Windows environment, which typically prevent direct access to the NTDS.dit file\r\nwhile the domain controller is operational.\r\n7. Volt Typhoon likely uses offline password cracking techniques to decipher these hashes. This process involves\r\nextracting the hashes from the NTDS.dit file and then applying various password cracking methods, such as brute\r\nforce attacks, dictionary attacks, or more sophisticated techniques like rainbow tables to uncover the plaintext\r\npasswords. The successful decryption of these passwords allows Volt Typhoon actors to obtain elevated access and\r\nfurther infiltrate and manipulate the network.\r\n8. Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often\r\nfocusing on gaining capabilities to access OT assets. Volt Typhoon actors have been observed testing access to\r\ndomain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the\r\ncapability to access OT systems whose credentials were compromised via NTDS.dit theft. This access enables\r\npotential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server\r\nrooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases,\r\nVolt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities). In\r\none confirmed compromise, Volt Typhoon actors moved laterally to a control system and were positioned to move to\r\na second control system.\r\nFigure 1: Typical Volt Typhoon Activity\r\nAfter successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the\r\ncompromised environment (except discovery as noted above), suggesting their objective is to maintain persistence rather\r\nthan immediate exploitation. This assessment is supported by observed patterns where Volt Typhoon methodically re-targets\r\nthe same organizations over extended periods, often spanning several years, to continuously validate and potentially enhance\r\ntheir unauthorized accesses. Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate\r\ndomain credentials, ensuring access to current and valid accounts. For example, in one compromise, Volt Typhoon likely\r\nextracted NTDS.dit from three domain controllers in a four-year period. In another compromise, Volt Typhoon actors\r\nextracted NTDS.dit two times from a victim in a nine-month period.\r\nIndustry reporting—identifying that Volt Typhoon actors are silent on the network following credential dumping and\r\nperform discovery to learn about the environment, but do not exfiltrate data—is consistent with the U.S. authoring agencies’\r\nobservations. This indicates their aim is to achieve and maintain persistence on the network. In one confirmed compromise,\r\nan industry partner observed Volt Typhoon actors dumping credentials at regular intervals.\r\nIn addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on\r\nsystems that would cause alerts. Their strong focus on stealth and operational security allows them to maintain long-term,\r\nundiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their\r\nactions within the compromised environment.\r\nSee the below sections for Volt Typhoon TTPs observed by the U.S. authoring agencies from multiple confirmed Volt\r\nTyphoon compromises.\r\nObserved TTPs\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 3 of 26\n\nReconnaissance\r\nVolt Typhoon actors conduct extensive pre-compromise reconnaissance [TA0043 ] to learn about the target organization\r\n[T1591 ], its network [T1590 ], and its staff [T1589 ]. This includes web searches [T1593 ]—including victim-owned\r\nsites [T1594 ]—for victim host [T1592 ], identity, and network information, especially for information on key network\r\nand IT administrators. According to industry reporting, Volt Typhoon actors use FOFA[1 ], Shodan, and Censys for\r\nquerying or searching for exposed infrastructure. In some instances, the U.S. authoring agencies have observed Volt\r\nTyphoon actors targeting the personal emails of key network and IT staff [T1589.002 ] post compromise.\r\nResource Development\r\nHistorically, Volt Typhoon actors use multi-hop proxies for command and control (C2) infrastructure [T1090.003 ]. The\r\nproxy is typically composed of virtual private servers (VPSs) [T1583.003 ] or small office/home office (SOHO) routers.\r\nRecently, Volt Typhoon actors used Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware to\r\nsupport their operations [T1584.005 ]. (See DOJ press release U.S. Government Disrupts Botnet People’s Republic of\r\nChina Used to Conceal Hacking of Critical Infrastructure for more information).\r\nInitial Access\r\nTo obtain initial access [TA0001 ], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as\r\nthose from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [T1190 ]. They often\r\nuse publicly available exploit code for known vulnerabilities [T1588.005 ] but are also adept at discovering and exploiting\r\nzero-day vulnerabilities [T1587.004 ].\r\nIn one confirmed compromise, Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a\r\nnetwork perimeter FortiGate 300D firewall that was not patched. There is evidence of a buffer overflow attack\r\nidentified within the Secure Sockets Layer (SSL)-VPN crash logs.\r\nOnce initial access is achieved, Volt Typhoon actors typically shift to establishing persistent access [TA0003 ]. They often\r\nuse VPN sessions to securely connect to victim environments [T1133 ], enabling discreet follow-on intrusion activities.\r\nThis tactic not only provides a stable foothold in the network but also allows them to blend in with regular traffic,\r\nsignificantly reducing their chances of detection.\r\nExecution\r\nVolt Typhoon actors rarely use malware for post-compromise execution. Instead, once Volt Typhoon actors gain access to\r\ntarget environments, they use hands-on-keyboard activity via the command-line [T1059 ] and other native tools and\r\nprocesses on systems [T1218 ] (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the\r\nvictim networks. According to industry reporting, some “commands appear to be exploratory or experimental, as the\r\noperators [i.e., malicious actors] adjust and repeat them multiple times.”[2 ]\r\nFor more details on LOTL activity, see the Credential Access and Discovery sections and Appendix A: Volt Typhoon LOTL\r\nActivity.\r\nSimilar to LOTL, Volt Typhoon actors also use legitimate but outdated versions of network admin tools. For example, in one\r\nconfirmed compromise, actors downloaded [T1105 ] an outdated version of comsvcs.dll on the DC in a non-standard\r\nfolder. comsvcs.dll is a legitimate Microsoft Dynamic Link Library (DLL) file normally found in the System32 folder.\r\nThe actors used this DLL with MiniDump and the process ID of the Local Security Authority Subsystem Service (LSASS)\r\nto dump the LSASS process memory [T1003.001 ] and obtain credentials (LSASS process memory space contains hashes\r\nfor the current user’s operating system (OS) credentials).\r\nThe actors also use legitimate non-native network admin and forensic tools. For example, Volt Typhoon actors have been\r\nobserved using Magnet RAM Capture (MRC) version 1.20 on domain controllers. MRC is a free imaging tool that captures\r\nthe physical memory of a computer, and Volt Typhoon actors likely used it to analyze in-memory data for sensitive\r\ninformation (such as credentials) and in-transit data not typically accessible on disk. Volt Typhoon actors have also been\r\nobserved implanting Fast Reverse Proxy (FRP) for command and control.[3 ] (See the Command and Control section).\r\nPersistence\r\nVolt Typhoon primarily relies on valid credentials for persistence [T1078 ].\r\nDefense Evasion\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 4 of 26\n\nVolt Typhoon has strong operational security. Their actors primarily use LOTL for defense evasion [TA0005 ], which\r\nallows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing\r\nsimplistic endpoint security capabilities. For more information, see joint guide Identifying and Mitigating Living off the\r\nLand Techniques.\r\nVolt Typhoon actors also obfuscate their malware. In one confirmed compromise, Volt Typhoon obfuscated FRP client files\r\n( BrightmetricAgent.exe and SMSvcService.exe ) and the command-line port scanning utility ScanLine by packing the\r\nfiles with Ultimate Packer for Executables (UPX) [T1027.002 ]. FRP client applications support encryption, compression,\r\nand easy token authentication and work across multiple protocols—including transmission control protocol (TCP), user\r\ndatagram protocol (UDP), hypertext transfer protocol (HTTP), and hypertext transfer protocol secure (HTTPS). The FRP\r\nclient applications use the Kuai connection protocol (KCP) for error-checked and anonymous data stream delivery over\r\nUDP, with packet-level encryption support. See Appendix C and CISA Malware Analysis Report (MAR)-10448362-1.v1 for\r\nmore information.\r\nIn addition to LOTL and obfuscation techniques, Volt Typhoon actors have been observed selectively clearing Windows\r\nEvent Logs [T1070.001 ], system logs, and other technical artifacts to remove evidence [T1070.009 ] of their intrusion\r\nactivity and masquerading file names [T1036.005 ].\r\nCredential Access\r\nVolt Typhoon actors first obtain credentials from public-facing appliances after gaining initial access by exploiting privilege\r\nescalation vulnerabilities [T1068 ] in the operating system or network services. In some cases, they have obtained\r\ncredentials insecurely stored on the appliance [T1552 ]. In one instance, where Volt Typhoon likely exploited CVE-2022-\r\n42475 in an unpatched Fortinet device, Volt Typhoon actors compromised a domain admin account stored inappropriately on\r\nthe device.\r\nVolt Typhoon also consistently obtains valid credentials by extracting the Active Directory database file ( NTDS.dit )—in\r\nsome cases multiple times from the same victim over long periods [T1003.003 ]. NTDS.dit contains usernames, hashed\r\npasswords, and group memberships for all domain accounts, essentially allowing for full domain compromise if the hashes\r\ncan be cracked offline.\r\nTo obtain NTDS.dit , the U.S. authoring agencies have observed Volt Typhoon:\r\n1. Move laterally [TA0008 ] to the domain controller via an interactive RDP session using a compromised account\r\nwith domain administrator privileges [T1021.001 ];\r\n2. Execute the Windows-native vssadmin [T1006 ] command to create a volume shadow copy;\r\n3. Use Windows Management Instrumentation Console (WMIC) commands [T1047 ] to execute ntdsutil (a LOTL\r\nutility) to copy NTDS.dit and SYSTEM registry hive from the volume shadow copy; and\r\n4. Exfiltrate [TA0010 ] NTDS.dit and SYSTEM registry hive to crack passwords offline) [T1110.002 ]. (For more\r\ndetails, including specific commands used, see Appendix A: Volt Typhoon LOTL Activity.)\r\nNote: A volume shadow copy contains a copy of all the files and folders that exist on the specified volume. Each\r\nvolume shadow copy created on a DC includes its NTDS.dit and the SYSTEM registry hive, which provides keys to\r\ndecrypt the NTDS.dit file.\r\nVolt Typhoon actors have also been observed interacting with a PuTTY application by enumerating existing stored sessions\r\n[T1012 ]. Given this interaction and the exposure of cleartext-stored proxy passwords used in remote administration, Volt\r\nTyphoon actors potentially had access to PuTTY profiles that allow access to critical systems (see the Lateral Movement\r\nsection).\r\nAccording to industry reporting, Volt Typhoon actors attempted to dump credentials through LSASS (see Appendix B for\r\ncommands used).[2 ]\r\nThe U.S. authoring agencies have observed Volt Typhoon actors leveraging Mimikatz to harvest credentials, and industry\r\npartners have observed Volt Typhoon leveraging Impacket .[2 ]\r\nMimikatz is a credential dumping tool and Volt Typhoon actors use it to obtain credentials. In one confirmed\r\ncompromise, the Volt Typhoon used RDP to connect to a server and run Mimikatz after leveraging a compromised\r\nadministrator account to deploy it.\r\nImpacket is an open source Python toolkit for programmatically constructing and manipulating network protocols. It\r\ncontains tools for Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks—as well\r\nas remote service execution.\r\nDiscovery\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 5 of 26\n\nVolt Typhoon actors have been observed using commercial tools, LOTL utilities, and appliances already present on the\r\nsystem for system information [T1082 ], network service [T1046 ], group [T1069 ] and user [T1033 ] discovery.\r\nVolt Typhoon uses at least the following LOTL tools and commands for system information, network service, group, and\r\nuser discovery techniques:\r\ncmd\r\ncertutil\r\ndnscmd\r\nldifde\r\nmakecab\r\nnet user/group/use\r\nnetsh\r\nnltest\r\nnetstat\r\nntdsutil\r\nping\r\nPowerShell\r\nquser\r\nreg query/reg save\r\nsysteminfo\r\ntasklist\r\nwevtutil\r\nwhoami\r\nwmic\r\nxcopy\r\nSome observed specific examples of discovery include:\r\nCapturing successful logon events [T1654 ].\r\nSpecifically, in one incident, analysis of the PowerShell console history of a domain controller indicated that\r\nsecurity event logs were directed to a file named user.dat , as evidenced by the executed command Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File\r\n'C:\\users\\public\\documents\\user.dat' . This indicates the group's specific interest in capturing successful\r\nlogon events (event ID 4624 ) to analyze user authentication patterns within the network. Additionally, file\r\nsystem analysis, specifically of the Master File Table (MFT), uncovered evidence of a separate file,\r\nsysteminfo.dat , which was created in C:\\Users\\Public\\Documents but subsequently deleted [T1070.004].\r\nThe presence of these activities suggests a methodical approach by Volt Typhoon actors in collecting and then\r\npossibly removing traces of sensitive log information from the compromised system.\r\nExecuting tasklist /v to gather a detailed process listing [T1057 ], followed by executing taskkill /f /im\r\nrdpservice.exe (the function of this executable is not known).\r\nExecuting net user and quser for user account information [T1087.001 ].\r\nCreating and accessing a file named rult3uil.log on a domain controller in C:\\Windows\\System32\\ . The\r\nrult3uil.log file contained user activities on a compromised system, showcasing a combination of window title\r\ninformation [T1010 ] and focus shifts, keypresses, and command executions across Google Chrome and Windows\r\nPowerShell, with corresponding timestamps.\r\nEmploying ping with various IP addresses to check network connectivity [T1016.001 ] and net start to list\r\nrunning services [T1007 ].\r\nSee Appendix A for additional LOTL examples.\r\nIn one confirmed compromise, Volt Typhoon actors attempted to use Advanced IP Scanner, which was on the network for\r\nadmin use, to scan the network.\r\nVolt Typhoon actors have been observed strategically targeting network administrator web browser data—focusing on both\r\nbrowsing history and stored credentials [T1555.003 ]—to facilitate targeting of personal email addresses (see the\r\nReconnaissance section) for further discovery and possible network modifications that may impact the threat actor’s\r\npersistence within victim networks.\r\nIn one confirmed compromise:\r\nVolt Typhoon actors obtained the history file from the User Data directory of a network administrator user’s\r\nChrome browser. To obtain the history file, Volt Typhoon actors first executed an RDP session to the user’s\r\nworkstation where they initially attempted, and failed, to obtain the C$ File Name: users\\\r\n{redacted}\\appdata\\local\\Google\\Chrome\\UserData\\default\\History file, as evidenced by the accompanying\r\n1016 (reopen failed) SMB error listed in the application event log. The threat actors then disconnected the RDP\r\nsession to the workstation and accessed the file C:\\Users\\{redacted}\\Downloads\\History.zip . This file\r\npresumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved\r\nin the Downloads directory for exfiltration [T1074 ]. Shortly after accessing the history.zip file, the actors\r\nterminated RDP sessions.\r\nAbout four months later, Volt Typhoon actors accessed the same user’s Chrome data C$ File Name: Users\\\r\n{redacted}\\AppData\\Local\\Google\\Chrome\\User Data\\Local State and $ File Name: Users\\\r\n{redacted}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data via SMB. The Local State file contains\r\nthe Advanced Encryption Standard (AES) encryption key [T1552.004 ] used to encrypt the passwords stored in the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 6 of 26\n\nChrome browser, which would enable the actors to obtain plaintext passwords stored in the Login Data file in the\r\nChrome browser.\r\nIn another confirmed compromise, Volt Typhoon actors accessed directories containing Chrome and Edge user data on\r\nmultiple systems. Directory interaction was observed over the network to paths such as C:\\Users\\\r\n{redacted}\\AppData\\Local\\Google\\Chrome\\User Data\\ and C:\\Users\\{redacted}\\AppData\\Local\\Microsoft\\Edge\\User\r\nData\\ . They also enumerated several directories, including directories containing vulnerability testing and cyber related\r\ncontent and facilities data, such as construction drawings [T1083 ].\r\nLateral Movement\r\nFor lateral movement, Volt Typhoon actors have been observed predominantly employing RDP with compromised valid\r\nadministrator credentials. Note: With a full on-premises Microsoft Active Directory identity compromise (see the Credential\r\nAccess section), the group may be capable of using other methods such as Pass the Hash or Pass the Ticket for lateral\r\nmovement [T1550 ].\r\nIn one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon\r\nactors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the\r\nsame credentials to move laterally. Over a nine-month period, they moved laterally to a file server, a domain controller, an\r\nOracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain\r\ncontroller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and\r\nExfiltration sections).\r\nVolt Typhoon’s movement to the vCenter server was likely strategic for pre-positioning to OT assets. The vCenter server\r\nwas adjacent to OT assets, and Volt Typhoon actors were observed interacting with the PuTTY application on the server by\r\nenumerating existing stored sessions. With this information, Volt Typhoon potentially had access to a range of critical\r\nPuTTY profiles, including those for water treatment plants, water wells, an electrical substation, OT systems, and network\r\nsecurity devices. This would enable them to access these critical systems [T1563 ]. See Figure 2.\r\nFigure 2: Volt Typhoon Lateral Movement Path File Server, DC, and OT-Adjacent Assets\r\nAdditionally, Volt Typhoon actors have been observed using PSExec to execute remote processes, including the automated\r\nacceptance of the end-user license agreement (EULA) through an administrative account, signified by the accepteula\r\ncommand flag.\r\nVolt Typhoon actors may have attempted to move laterally to a cloud environment in one victim’s network but direct\r\nattribution to the Volt Typhoon group was inconclusive. During the period of the their known network presence, there were\r\nanomalous login attempts to an Azure tenant [T1021.007 ] potentially using credentials [T1078.004 ] previously\r\ncompromised from theft of NTDS.dit . These attempts, coupled with misconfigured virtual machines with open RDP ports,\r\nsuggested a potential for cloud-based lateral movement. However, subsequent investigations, including password changes\r\nand multifactor authentication (MFA) implementations, revealed authentication failures from non-associated IP addresses,\r\nwith no definitive link to Volt Typhoon.\r\nCollection and Exfiltration\r\nThe U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with\r\nphysical impacts. For example, in one confirmed compromise, they collected [TA0009 ] sensitive information obtained\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 7 of 26\n\nfrom a file server in multiple zipped files [T1560 ] and likely exfiltrated [TA0010 ] the files via Server Message Block\r\n(SMB) [T1048 ] (see Figure 3). Collected information included diagrams and documentation related to OT equipment,\r\nincluding supervisory control and data acquisition (SCADA) systems, relays, and switchgear. This data is crucial for\r\nunderstanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that\r\ncould be leveraged in actions targeting physical assets and systems.\r\nFigure 3: Volt Typhoon Attack Path for Exfiltration of Data from File Server\r\nIn another compromise, Volt Typhoon actors leveraged WMIC to create and use temporary directories\r\n( C:\\Users\\Public\\pro , C:\\Windows\\Temp\\tmp , C:\\Windows\\Temp\\tmp\\Active Directory and\r\nC:\\Windows\\Temp\\tmp\\registry ) to stage the extracted ntds.dit and SYSTEM registry hives from ntdsutil execution\r\nvolume shadow copies (see the Credential Access section) obtained from two DCs. They then compressed and archived the\r\nextracted ntds.dit and accompanying registry files by executing ronf.exe , which was likely a renamed version of the\r\narchive utility rar.exe ) [T1560.001 ].\r\nCommand and Control\r\nVolt Typhoon actors have been observed leveraging compromised SOHO routers and virtual private servers (VPS) to proxy\r\nC2 traffic. For more information, see DOJ press release U.S. Government Disrupts Botnet People’s Republic of China Used\r\nto Conceal Hacking of Critical Infrastructure).\r\nThey have also been observed setting up FRP clients [T1090 ] on a victim’s corporate infrastructure to establish covert\r\ncommunications channels [T1573 ] for command and control. In one instance, Volt Typhoon actors implanted the FRP\r\nclient with filename SMSvcService.exe on a Shortel Enterprise Contact Center (ECC) server and a second FRP client with\r\nfilename Brightmetricagent.exe on another server. These clients, when executed via PowerShell [T1059.001 ], open\r\nreverse proxies between the compromised system and Volt Typhoon C2 servers. Brightmetricagent.exe has additional\r\ncapabilities. The FRP client can locate servers behind a network firewall or obscured through Network Address Translation\r\n(NAT) [T1016 ]. It also contains multiplexer libraries that can bi-directionally stream data over NAT networks and\r\ncontains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows\r\nManagement Instrumentation (WMI), and Z Shell (zsh) [T1059.004 ]. See Appendix C and MAR-10448362-1.v1 for more\r\ninformation.\r\nIn the same compromise, Volt Typhoon actors exploited a Paessler Router Traffic Grapher (PRTG) server as an intermediary\r\nfor their FRP operations. To facilitate this, they used the netsh command, a legitimate Windows command, to create a\r\nPortProxy registry modification [T1112 ] on the PRTG server [T1090.001 ]. This key alteration redirected specific port\r\ntraffic to Volt Typhoon’s proxy infrastructure, effectively converting the PRTG’s server into a proxy for their C2 traffic\r\n[T1584.004 ] (see Appendix B for details).\r\nDETECTION/HUNT RECOMMENDATIONS\r\nApply Living off the Land Detection Best Practices\r\nApply the prioritized detection and hardening best practice recommendations provided in joint guide Identifying and\r\nMitigating Living off the Land Techniques. Many organizations lack security and network management best practices\r\n(such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network\r\ndefenders to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 8 of 26\n\nproactive hunting. Conventional IOCs associated with the malicious activity are generally lacking, complicating network\r\ndefenders’ efforts to identify, track, and categorize this sort of malicious behavior. This advisory provides guidance for a\r\nmultifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part\r\nof a comprehensive approach to mitigating cyber threats that employ LOTL techniques.\r\nReview Application, Security, and System Event Logs\r\nRoutinely review application, security, and system event logs, focusing on Windows Extensible Storage Engine\r\nTechnology (ESENT) Application Logs. Due to Volt Typhoon’s ability for long-term undetected persistence, network\r\ndefenders should assume significant dwell time and review specific application event log IDs, which remain on endpoints\r\nfor longer periods compared to security event logs and other ephemeral artifacts. Focus on Windows ESENT logs because\r\ncertain ESENT Application Log event IDs ( 216 , 325 , 326 , and 327 ) may indicate actors copying NTDS.dit .\r\nSee Table 1 for examples of ESENT and other key log indicators that should be investigated. Please note that incidents may\r\nnot always have exact matches listed in the Event Detail column due to variations in event logging and TTPs.\r\nTable 1: Key Log Indicators for Detecting Volt Typhoon Activity\r\nEvent ID\r\n(Log)\r\nEvent Detail Description\r\n216 (Windows\r\nESENT\r\nApplication\r\nLog)\r\nA database location change was detected from\r\n'C:\\Windows\\NTDS\\ntds.dit' to '\\\\?\\GLOBALROOT\\Device\\\r\n{redacted}VolumeShadowCopy1\\Windows\\NTDS\\ntds.dit'\r\nA change in the\r\nNTDS.dit database\r\nlocation is detected.\r\nThis could suggest an\r\ninitial step in NTDS\r\ncredential dumping\r\nwhere the database is\r\nbeing prepared for\r\nextraction.\r\n325 (Windows\r\nESENT\r\nApplication\r\nLog)\r\nThe database engine created a new database (2,\r\nC:\\Windows\\Temp\\tmp\\Active Directory\\ntds.dit).\r\nIndicates creation of a\r\nnew NTDS.dit file in a\r\nnon-standard directory.\r\nOften a sign of data\r\nstaging for exfiltration.\r\nMonitor for unusual\r\ndatabase operations in\r\ntemp directories.\r\n637 (Windows\r\nESENT\r\nApplication\r\nLog)\r\nC:\\Windows\\Temp\\tmp\\Active Directory\\ntds.jfm-++- (0) New flush\r\nmap file “C:\\Windows\\Temp\\tmp\\Active Directory\\ntds.jfm” will be\r\ncreated to enable persisted lost flush detection.\r\nA new flush map file is\r\nbeing created for\r\nNTDS.dit . This may\r\nsuggest ongoing\r\noperations related to\r\nNTDS credential\r\ndumping, potentially\r\ncapturing uncommitted\r\nchanges to the\r\nNTDS.dit file.\r\n326 (Windows\r\nESENT\r\nApplication\r\nLog)\r\nNTDS-++-12460,D,100-++--++-1-++-\r\nC:\\$SNAP_{redacted}_VOLUMEC$\\Windows\\NTDS\\ntds.dit-++-0-++-\r\n[1] The database engine attached a database. Began mounting of\r\nC:\\Windows\\NTDS\\ntds.dit file created from volume shadow copy\r\nprocess\r\nRepresents the mounting\r\nof an NTDS.dit file\r\nfrom a volume shadow\r\ncopy. This is a critical\r\nstep in NTDS credential\r\ndumping, indicating\r\nactive manipulation of a\r\ndomain controller’s\r\ndata.\r\n327 (Windows\r\nESENT\r\nC:\\Windows\\Temp\\tmp\\Active Directory\\ntds.dit-++-1-++- [1] The\r\ndatabase engine detached a database (2, C:\\Windows\\Temp\\tmp\\Active\r\nThe detachment of a\r\ndatabase, particularly in\r\na temp directory, could\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 9 of 26\n\nEvent ID\r\n(Log)\r\nEvent Detail Description\r\nApplication\r\nLog)\r\nDirectory\\ntds.dit). Completion of mounting of ntds.dit file to\r\nC:\\Windows\\Temp\\tmp\\Active Director\r\nindicate the completion\r\nof a credential dumping\r\nprocess, potentially as\r\npart of exfiltration\r\npreparations.\r\n21 (Windows\r\nTerminal\r\nServices Local\r\nSession\r\nManager\r\nOperational\r\nLog)\r\nRemote Desktop Services: Session logon succeeded: User: {redacted}\\\r\n{redacted} Session ID: {redacted} Source Network Address: {redacted}\r\nSuccessful\r\nauthentication to a\r\nRemote Desktop\r\nServices session.\r\n22 (Windows\r\nTerminal\r\nServices Local\r\nSession\r\nManager\r\nOperational\r\nLog)\r\nRemote Desktop Services: Shell start notification received: User:\r\n{redacted}\\{redacted} Session ID: {redacted} Source Network Address:\r\n{redacted}\r\nSuccessful start of a new\r\nRemote Desktop\r\nsession. This may imply\r\nlateral movement or\r\nunauthorized remote\r\naccess, especially if the\r\nuser or session is\r\nunexpected.\r\n23 (Windows\r\nTerminal\r\nServices Local\r\nSession\r\nManager\r\nOperational\r\nLog)\r\nRemote Desktop Services: Session logoff succeeded: User: {redacted}\\\r\n{redacted} Session ID: {redacted}\r\nSuccessful logoff of\r\nRemote Desktop\r\nsession.\r\n24 (Windows\r\nTerminal\r\nServices Local\r\nSession\r\nManager\r\nOperational\r\nLog)\r\nRemote Desktop Services: Session has been disconnected: User:\r\n{redacted}\\{redacted} Session ID: {redacted} Source Network Address:\r\n{redacted}\r\nRemote Desktop session\r\ndisconnected by user or\r\ndue to network\r\nconnectivity issues.\r\n25 (Windows \r\nTerminal\r\nServices Local\r\nSession\r\nManager\r\nOperational\r\nLog)\r\nRemote Desktop Services: Session reconnection succeeded: User:\r\n{redacted}\\{redacted} Session ID: {redacted} Source Network Address:\r\n{redacted}\r\nSuccessful reconnection\r\nto a Remote Desktop\r\nServices session. This\r\nmay imply lateral\r\nmovement or\r\nunauthorized remote\r\naccess, especially if the\r\nuser or session is\r\nunexpected.\r\n1017\r\n(Windows\r\nSystem Log)\r\nHandle scavenged.\r\nShare Name: C$\r\nFile Name:\r\nusers\\{redacted}\\downloads\\History.zip Durable: 1 Resilient or\r\nPersistent: 0 Guidance: The server closed a handle that was previously\r\nreserved for a client after 60 seconds.\r\nIndicates the server\r\nclosed a handle for a\r\nclient. While common in\r\nnetwork operations,\r\nunusual patterns or\r\nlocations (like\r\nHistory.zip in a\r\nuser’s downloads) may\r\nsuggest data collection\r\nfrom a local system.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 10 of 26\n\nEvent ID\r\n(Log)\r\nEvent Detail Description\r\n1102\r\n(Windows\r\nSecurity Log)\r\nAll\r\nAll Event ID 1102\r\nentries should be\r\ninvestigated as logs are\r\ngenerally not cleared\r\nand this is a known Volt\r\nTyphoon tactic to cover\r\ntheir tracks.\r\nMonitor and Review OT System Logs\r\nReview access logs for communication paths between IT and OT networks, looking for anomalous accesses or\r\nprotocols.\r\nMeasure the baseline of normal operations and network traffic for the industrial control system (ICS) and assess\r\ntraffic anomalies for malicious activity.\r\nConfigure intrusion detection systems (IDS) to create alarms for any ICS network traffic outside normal operations.\r\nTrack and monitor audit trails on critical areas of ICS.\r\nSet up security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the\r\nICS network to identify intrusion attempts.\r\nReview CISA’s Recommended Cybersecurity Practices for Industrial Control Systems and the joint advisory, NSA and\r\nCISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems, for\r\nfurther OT system detection and mitigation guidance.\r\nUse gait to Detect Possible Network Proxy Activities\r\nUse gait[4 ] to detect network proxy activities. Developed by Sandia National Labs, gait is a publicly available Zeek[5\r\n] extension. The gait extension can help enrich Zeek’s network connection monitoring and SSL logs by including\r\nadditional metadata in the logs. Specifically, gait captures unique TCP options and timing data such as a TCP, transport layer\r\nsecurity (TLS), and Secure Shell (SSH) layer inferred round trip times (RTT), aiding in the identification of the software\r\nused by both endpoints and intermediaries.\r\nWhile the gait extension for Zeek is an effective tool for enriching network monitoring logs with detailed metadata, it is not\r\nspecifically designed to detect Volt Typhoon actor activities. The extension’s capabilities extend to general anomaly\r\ndetection in network traffic, including—but not limited to—proxying activities. Therefore, while gait can be helpful in\r\nidentifying tactics similar to those used by Volt Typhoon, such as proxy networks and FRP clients for C2 communication,\r\nnot all proxying activities detected by using this additional metadata are necessarily indicative of Volt Typhoon presence. It\r\nserves as a valuable augmentation to current security stacks for a broader spectrum of threat detection.\r\nFor more information, see Sandia National Lab’s gait GitHub page sandialabs/gait: Zeek Extension to Collect Metadata for\r\nProfiling of Endpoints and Proxies .\r\nReview Logins for Impossible Travel\r\nExamine VPN or other account logon times, frequency, duration, and locations. Logons from two geographically\r\ndistant locations within a short timeframe from a single user may indicate an account is being used maliciously. Logons of\r\nunusual frequency or duration may indicate a threat actor attempting to access a system repeatedly or maintain prolonged\r\nsessions for the purpose of data extraction.\r\nReview Standard Directories for Unusual Files\r\nReview directories, such as C:\\windows\\temp\\ and C:\\users\\public\\ , for unexpected or unusual files. Monitor these\r\ntemporary file storage directories for files typically located in standard system paths, such as the System32 directory. For\r\nexample, Volt Typhoon has been observed downloading comsvcs.dll to a non-standard folder (this file is normally found\r\nin the System32 folder).\r\nINCIDENT RESPONSE\r\nIf compromise, or potential compromise, is detected, organizations should assume full domain compromise because of\r\nVolt Typhoon’s known behavioral pattern of extracting the NTDS.dit from the DCs. Organizations should immediately\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 11 of 26\n\nimplement the following immediate, defensive countermeasures:\r\n1. Sever the enterprise network from the internet. Note: this step requires the agency to understand its internal and\r\nexternal connections. When making the decision to sever internet access, knowledge of connections must be\r\ncombined with care to avoid disrupting critical functions.\r\nIf you cannot sever from the internet, shutdown all non-essential traffic between the affected enterprise\r\nnetwork and the internet.\r\n2. Reset credentials of privileged and non-privileged accounts within the trust boundary of each compromised\r\naccount.\r\nReset passwords for all domain users and all local accounts, such as Guest , HelpAssistant ,\r\nDefaultAccount , System , Administrator , and krbtgt . The krbtgt account is responsible for handling\r\nKerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice\r\nbecause the account has a two-password history. The first account reset for the krbtgt needs to be allowed\r\nto replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected\r\nby the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to FCEB\r\nagencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to\r\norganizations with Windows AD compromise.\r\nReview access policies to temporarily revoke privileges/access for affected accounts/devices. If it is\r\nnecessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for\r\naffected accounts/devices to “contain” them.\r\nReset the relevant account credentials or access keys if the investigation finds the threat actor’s access is\r\nlimited to non-elevated permissions.\r\nMonitor related accounts, especially administrative accounts, for any further signs of unauthorized\r\naccess.\r\n3. Audit all network appliance and edge device configurations with indicators of malicious activity for signs of\r\nunauthorized or malicious configuration changes. Organizations should ensure they audit the current network\r\ndevice running configuration and any local configurations that could be loaded at boot time. If configuration changes\r\nare identified:\r\nChange all credentials being used to manage network devices, to include keys and strings used to secure\r\nnetwork device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets,\r\nTACACS/RADIUS secrets, RSA keys/certificates, etc.).\r\nUpdate all firmware and software to the latest version.\r\n4. Report the compromise to an authoring agency (see the Contact Information section).\r\n5. For organizations with cloud or hybrid environments, apply best practices for identity and credential access\r\nmanagement.\r\nVerify that all accounts with privileged role assignments are cloud native, not synced from Active Directory.\r\nAudit conditional access policies to ensure Global Administrators and other highly privileged service\r\nprincipals and accounts are not exempted.\r\nAudit privileged role assignments to ensure adherence to the principle of least privilege when assigning\r\nprivileged roles.\r\nLeverage just-in-time and just-enough access mechanisms when administrators need to elevate to a privileged\r\nrole.\r\nIn hybrid environments, ensure federated systems (such as AD FS) are configured and monitored properly.\r\nAudit Enterprise Applications for recently added applications and examine the API permissions assigned to\r\neach.\r\n6. Reconnect to the internet. Note: The decision to reconnect to the internet depends on senior leadership’s confidence\r\nin the actions taken. It is possible—depending on the environment—that new information discovered during pre-eviction and eviction steps could add additional eviction tasks.\r\n7. Minimize and control use of remote access tools and protocols by applying best practices from joint Guide to\r\nSecuring Remote Access Software and joint Cybersecurity Information Sheet: Keeping PowerShell: Security\r\nMeasures to Use and Embrace.\r\n8. Consider sharing technical information with an authoring agency and/or a sector-specific information sharing\r\nand analysis center.\r\nFor more information on incident response and remediation, see:\r\nJoint advisory Technical Approaches to Uncovering and Remediating Malicious Activity. This advisory provides\r\nincident response best practices.\r\nCISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to U.S.\r\nFederal Civilian Executive Branch (FCEB) agencies, the playbooks are applicable to all organizations. The incident\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 12 of 26\n\nresponse playbook provides procedures to identify, coordinate, remediate, recover, and track successful mitigations\r\nfrom incidents.\r\nJoint Water and Wastewater Sector - Incident Response Guide. This joint guide provides incident response best\r\npractices and information on federal resources for Water and Wastewater Systems Sector organizations.\r\nMITIGATIONS\r\nThese mitigations are intended for IT administrators in critical infrastructure organizations. The authoring agencies\r\nrecommend that software manufactures incorporate secure by design and default principles and tactics into their software\r\ndevelopment practices to strengthen the security posture for their customers.\r\nFor information on secure by design practices that may protect customers against common Volt Typhoon techniques, see\r\njoint guide Identifying and Mitigating Living off the Land Techniques and joint Secure by Design Alert Security Design\r\nImprovements for SOHO Device Manufacturers.\r\nFor more information on secure by design, see CISA’s Secure by Design webpage and joint guide.\r\nThe authoring agencies recommend organizations implement the mitigations below to improve your organization’s\r\ncybersecurity posture on the basis of Volt Typhoon activity. These mitigations align with the Cross-Sector Cybersecurity\r\nPerformance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs\r\nprovide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and\r\nNIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful\r\nthreats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more\r\ninformation on the CPGs, including additional recommended baseline protections.\r\nIT Network Administrators and Defenders\r\nHarden the Attack Surface\r\nApply patches for internet-facing systems within a risk-informed span of time [CPG 1E]. Prioritize patching\r\ncritical assets, known exploited vulnerabilities, and vulnerabilities in appliances known to be frequently exploited by\r\nVolt Typhoon (e.g., Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices).\r\nApply vendor-provided or industry standard hardening guidance to strengthen software and system\r\nconfigurations. Note: As part of CISA’s Secure by Design campaign, CISA urges software manufacturers to prioritize\r\nsecure by default configurations to eliminate the need for customer implementation of hardening guidelines.\r\nMaintain and regularly update an inventory of all organizational IT assets [CPG 1A].\r\nUse third party assessments to validate current system and network security compliance via security\r\narchitecture reviews, penetration tests, bug bounties, attack surface management services, incident simulations, or\r\ntable-top exercises (both announced and unannounced) [CPG 1F].\r\nLimit internet exposure of systems when not necessary. An organization’s primary attack surface is the\r\ncombination of the exposure of all its internet-facing systems. Decrease the attack surface by not exposing systems or\r\nmanagement interfaces to the internet when not necessary.\r\nPlan “end of life” for technology beyond manufacturer supported lifecycle. Inventories of organizational assets\r\nshould be leveraged in patch and configuration management as noted above. Inventories will also enable\r\nidentification of technology beyond the manufacturer’s supported lifecycle. Where technology is beyond “end of life”\r\nor “end of support,” additional cybersecurity vigilance is necessary, and may warrant one or more of the following:\r\nSupplemental support agreements;\r\nAdditional scanning and testing;\r\nConfiguration changes;\r\nIsolation;\r\nSegmentation; and\r\nDevelopment of forward-looking plans to facilitate replacement.\r\nSecure Credentials\r\nDo not store credentials on edge appliances/devices. Ensure edge devices do not contain accounts that could\r\nprovide domain admin access.\r\nDo not store plaintext credentials on any system [CPG 2L]. Credentials should be stored securely—such as with a\r\ncredential/password manager or vault, or other privileged account management solutions—so they can only be\r\naccessed by authenticated and authorized users.\r\nChange default passwords [CPG 2A] and ensure they meet the policy requirements for complexity.\r\nImplement and enforce an organizational system-enforced policy that:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 13 of 26\n\nRequires passwords for all IT password-protected assets to be at least 15 characters;\r\nDoes not allow users to reuse passwords for accounts, applications, services, etc., [CPG 2C]; and\r\nDoes not allow service accounts/machine accounts to reuse passwords from member user accounts.\r\nConfigure Group Policy settings to prevent web browsers from saving passwords and disable autofill functions.\r\nDisable the storage of clear text passwords in LSASS memory.\r\nSecure Accounts\r\nImplement phishing-resistant MFA for access to assets [CPG 2H].\r\nSeparate user and privileged accounts.\r\nUser accounts should never have administrator or super-user privileges [CPG 2E].\r\nAdministrators should never use administrator accounts for actions and activities not associated with the\r\nadministrator role (e.g., checking email, web browsing).\r\nEnforce the principle of least privilege.\r\nEnsure administrator accounts only have the minimum permissions necessary to complete their tasks.\r\nReview account permissions for default/accounts for edge appliances/devices and remove domain\r\nadministrator privileges, if identified.\r\nSignificantly limit the number of users with elevated privileges. Implement continuous monitoring for\r\nchanges in group membership, especially in privileged groups, to detect and respond to unauthorized\r\nmodifications.\r\nRemove accounts from high-privilege groups like Enterprise Admins and Schema Admins. Temporarily\r\nreinstate these privileges only when necessary and under strict auditing to reduce the risk of privilege abuse.\r\nTransition to Group Managed Service Accounts (gMSAs) where suitable for enhanced management and\r\nsecurity of service account credentials. gMSAs provide automated password management and simplified\r\nService Principal Name (SPN) management, enhancing security over traditional service accounts. See\r\nMicrosoft’s Group Managed Service Accounts Overview .\r\nEnforce strict policies via Group Policy and User Rights Assignments to limit high-privilege service accounts.\r\nConsider using a privileged access management (PAM) solution to manage access to privileged accounts and\r\nresources [CPG 2L]. PAM solutions can also log and alert usage to detect any unusual activity.\r\nComplement the PAM solution with role-based access control (RBAC) for tailored access based on job\r\nrequirements. This ensures that elevated access is granted only when required and for a limited duration, minimizing\r\nthe window of opportunity for abuse or exploitation of privileged credentials.\r\nImplement an Active Directory tiering model to segregate administrative accounts based on their access level\r\nand associated risk. This approach reduces the potential impact of a compromised account. See Microsoft’s PAM\r\nenvironment tier model .\r\nHarden administrative workstations to only permit administrative activities from workstations appropriately\r\nhardened based on the administrative tier. See Microsoft’s Why are privileged access devices important - Privileged\r\naccess .\r\nDisable all user accounts and access to organizational resources of employees on the day of their departure\r\n[CPG 2G]\r\nRegularly audit all user, admin, and service accounts and remove or disable unused or unneeded accounts as\r\napplicable.\r\nRegularly roll NTLM hashes of accounts that support token-based authentication.\r\nImprove management of hybrid (cloud and on-premises) identity federation by:\r\nUsing cloud only administrators that are asynchronous with on-premises environments and ensuring on-premises administrators are asynchronous to the cloud.\r\nUsing CISA’s SCuBAGear tool to discover cloud misconfigurations in Microsoft cloud tenants.\r\nSCuBA gear is automation script for comparing Federal Civilian Executive Branch (FCEB) agency tenant\r\nconfigurations against CISA M365 baseline recommendations. SCuBAGear is part of CISA’s Secure Cloud\r\nBusiness Applications (SCuBA) project, which provides guidance for FCEB agencies, securing their cloud\r\nbusiness application environments and protecting federal information created, accessed, shared, and stored in\r\nthose environments. Although tailored to FCEB agencies, the project provides security guidance applicable to\r\nall organizations with cloud environments. For more information on SCuBAGear see CISA’s Secure Cloud\r\nBusiness Applications (SCuBA) Project.\r\nUsing endpoint detection and response capabilities to actively defend on-premises federation servers.\r\nSecure Remote Access Services\r\nLimit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices, including\r\nauditing the network for systems using RDP, closing unused RDP ports, and logging RDP login attempts.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 14 of 26\n\nDisable Server Message Block (SMB) protocol version 1 and upgrade to version 3 (SMBv3) after mitigating\r\nexisting dependencies (on existing systems or applications), as they may break when disabled.\r\nHarden SMBv3 by implementing guidance included in joint #StopRansomware Guide (see page 8 of the guide).\r\nApply mitigations from the joint Guide to Securing Remote Access Software.\r\nSecure Sensitive Data\r\nSecurely store sensitive data (including operational technology documentation, network diagrams, etc.), ensuring\r\nthat only authenticated and authorized users can access the data.\r\nImplement Network Segmentation\r\nEnsure that sensitive accounts use their administrator credentials only on hardened, secure computers. This\r\npractice can reduce lateral movement exposure within networks.\r\nConduct comprehensive trust assessments to identify business-critical trusts and apply necessary controls to\r\nprevent unauthorized cross-forest/domain traversal.\r\nHarden federated authentication by enabling Secure Identifier (SID) Filtering and Selective Authentication on\r\nAD trust relationships to further restrict unauthorized access across domain boundaries.\r\nImplement network segmentation to isolate federation servers from other systems and limit allowed traffic to\r\nsystems and protocols that require access in accordance with Zero Trust principles.\r\nSecure Cloud Assets\r\nHarden cloud assets in accordance with vendor-provided or industry standard hardening guidance.\r\nOrganizations with Microsoft cloud infrastructure, see CISA’s Microsoft 365 Security Configuration Baseline\r\nGuides, which provide minimum viable secure configuration baselines for Microsoft Defender for Office 365,\r\nAzure Active Directory (now known as Microsoft Entra ID), Exchange Online, OneDrive for Business, Power\r\nBI, Power Platform, SharePoint Online, and Teams. For additional guidance, see the Australian Signals\r\nDirectorate’s Blueprint for Secure Cloud .\r\nOrganizations with Google cloud infrastructure, see CISA’s Google Workspace Security Configuration\r\nBaseline Guides, which provide minimum viable secure configuration baselines for Groups for Business,\r\nGMAIL, Google Calendar, Google Chat, Google Common Controls, Google Classroom, Google Drive and\r\nDocs, Google Meet, and Google Sites.\r\nRevoke unnecessary public access to cloud environment. This involves reviewing and restricting public endpoints\r\nand ensuring that services like storage accounts, databases, and virtual machines are not publicly accessible unless\r\nabsolutely necessary. Disable legacy authentication protocols across all cloud services and platforms. Legacy\r\nprotocols frequently lack support for advanced security mechanisms such as multifactor authentication, rendering\r\nthem susceptible to compromises. Instead, enforce the use of modern authentication protocols that support stronger\r\nsecurity features like MFA, token-based authentication, and adaptive authentication measures.\r\nEnforce this practice through the use of Conditional Access Policies. These policies can initially be run in\r\nreport-only mode to identify potential impacts and plan mitigations before fully enforcing them. This\r\napproach allows organizations to systematically control access to their cloud resources, significantly reducing\r\nthe risk of unauthorized access and potential compromise.\r\nRegularly monitor and audit privileged cloud-based accounts, including service accounts, which are frequently\r\nabused to enable broad cloud resource access and persistence.\r\nBe Prepared\r\nEnsure logging is turned on for application, access, and security logs (e.g., intrusion detection systems/intrusion\r\nprevention systems, firewall, data loss prevention, and VPNs) [CPG 2T]. Given Volt Typhoon’s use of LOTL\r\ntechniques and their significant dwell time, application event logs may be a valuable resource to hunt for Volt\r\nTyphoon activity because these logs typically remain on endpoints for relatively long periods of time.\r\nFor OT assets where logs are non-standard or not available, collect network traffic and communications\r\nbetween those assets and other assets.\r\nImplement file integrity monitoring (FIM) tools to detect unauthorized changes.\r\nStore logs in a central system, such as a security information and event management (SIEM) tool or central\r\ndatabase.\r\nEnsure the logs can only be accessed or modified by authorized and authenticated users [CPG 2U].\r\nStore logs for a period informed by risk or pertinent regulatory guidelines.\r\nTune log alerting to reduce noise while ensuring there are alerts for high-risk activities. (For information\r\non alert tuning, see joint guide Identifying and Mitigating Living Off the Land Techniques.)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 15 of 26\n\nEstablish and continuously maintain a baseline of installed tools and software, account behavior, and network\r\ntraffic. This way, network defenders can identify potential outliers, which may indicate malicious activity. Note: For\r\ninformation on establishing a baseline, see joint guide Identifying and Mitigating Living off the Land Techniques.\r\nDocument a list of threats and cyber actor TTPs relevant to your organization (e.g., based on industry or\r\nsectors), and maintain the ability (such as via rules, alerting, or commercial prevention and detection systems) to\r\ndetect instances of those key threats [CPG 3A].\r\nImplement periodic training for all employees and contractors that covers basic security concepts (such as\r\nphishing, business email compromise, basic operational security, password security, etc.), as well as fostering an\r\ninternal culture of security and cyber awareness [CPG 2I].\r\nTailor the training to network IT personnel/administrators and other key staff based on relevant\r\norganizational cyber threats and TTPs, such as Volt Typhoon. For example, communicate that Volt\r\nTyphoon actors are known to target personal email accounts of IT staff, and encourage staff to protect their\r\npersonal email accounts by using strong passwords and implementing MFA.\r\nIn addition to basic cybersecurity training, ensure personnel who maintain or secure OT as part of their\r\nregular duties receive OT-specific cybersecurity training on at least an annual basis [CPG 2J].\r\nEducate users about the risks associated with storing unprotected passwords.\r\nOT Administrators and Defenders\r\nChange default passwords [CPG 2A] and ensure they meet the policy requirements for complexity. If the asset’s\r\npassword cannot be changed, implement compensating controls for the device; for example, segment the device into\r\nseparate enclaves and implement increased monitoring and logging.\r\nRequire that passwords for all OT password-protected assets be at least 15 characters, when technically\r\nfeasible. In instances where minimum passwords lengths are not technically feasible (for example, assets in remote\r\nlocations), apply compensating controls, record the controls, and log all login attempts. [CPG 2B].\r\nEnforce strict access policies for accessing OT networks. Develop strict operating procedures for OT operators\r\nthat details secure configuration and usage.\r\nSegment OT assets from IT environments by [CPG 2F]:\r\nDenying all connections to the OT network by default unless explicitly allowed (e.g., by IP address and\r\nport) for specific system functionality.\r\nRequiring necessary communications paths between IT and OT networks to pass through an\r\nintermediary, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone\r\n(DMZ), which is closely monitored, captures network logs, and only allows connections from approved\r\nassets.\r\nClosely monitor all connections into OT networks for misuse, anomalous activity, or OT protocols.\r\nMonitor for unauthorized controller change attempts. Implement integrity checks of controller process logic\r\nagainst a known good baseline. Ensure process controllers are prevented from remaining in remote program mode\r\nwhile in operation if possible.\r\nLock or limit set points in control processes to reduce the consequences of unauthorized controller access.\r\nBe prepared by:\r\nDetermining your critical operational processes’ reliance on key IT infrastructure:\r\nMaintain and regularly update an inventory of all organizational OT assets.\r\nUnderstand and evaluate cyber risk on “as-operated” OT assets.\r\nCreate an accurate “as-operated” OT network map and identify OT and IT network inter-dependencies.\r\nIdentifying a resilience plan that addresses how to operate if you lose access to or control of the IT\r\nand/or OT environment.\r\nPlan for how to continue operations if a control system is malfunctioning, inoperative, or actively\r\nacting contrary to the safe and reliable operation of the process.\r\nDevelop workarounds or manual controls to ensure ICS networks can be isolated if the connection to a\r\ncompromised IT environment creates risk to the safe and reliable operation of OT processes.\r\nCreate and regularly exercise an incident response plan.\r\nRegularly test manual controls so that critical functions can be kept running if OT networks need to be\r\ntaken offline.\r\nImplement regular data backup procedures on OT networks.\r\nRegularly test backup procedures.\r\nFollow risk-informed guidance in the joint advisory NSA and CISA Recommend Immediate Actions to Reduce\r\nExposure Across all Operational Technologies and Control Systems, the NSA advisory Stop Malicious Cyber\r\nActivity Against Connected Operational Technology.\r\nCONTACT INFORMATION\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 16 of 26\n\nUS organizations: To report suspicious or criminal activity related to information found in this joint Cybersecurity\r\nAdvisory, contact:\r\nCISA’s 24/7 Operations Center at Report@cisa.gov or 1-844-Say-CISA (1-844-729-2472) or your local FBI field\r\noffice. When available, please include the following information regarding the incident: date, time, and location of\r\nthe incident; type of activity; number of people affected; type of equipment used for the activity; the name of the\r\nsubmitting company or organization; and a designated point of contact.\r\nFor NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov .\r\nWater and Wastewater Systems Sector organizations, contact the EPA Water Infrastructure and Cyber Resilience\r\nDivision at watercyberta@epa.gov to voluntarily provide situational awareness.\r\nEntities required to report incidents to DOE should follow established reporting requirements, as appropriate. For\r\nother energy sector inquiries, contact EnergySRMA@hq.doe.gov .\r\nFor transportation entities regulated by TSA, report to CISA Central in accordance with the requirements found in\r\napplicable Security Directives, Security Programs, or TSA Order.\r\nAustralian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and\r\naccess alerts and advisories.\r\nCanadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca .\r\nNew Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.\r\nUnited Kingdom organizations: Report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored\r\n24 hours) or, for urgent assistance, call 03000 200 973.\r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's\r\nsecurity program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this advisory.\r\nThe authoring agencies recommend testing your existing security controls inventory to assess how they perform against the\r\nATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 5 through Table 17).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nThe authoring agencies recommend continually testing your security program, at scale, in a production environment to\r\nensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nREFERENCES\r\n[1] fofa\r\n[2] Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques\r\n[3] GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet\r\n[4] GitHub - sandialabs/gait: Zeek Extension to Collect Metadata for Profiling of Endpoints and Proxies\r\n[5] The Zeek Network Security Monitor\r\nRESOURCES\r\nMicrosoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques\r\nSecureworks: Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense\r\nOrganizations\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. The authoring agencies do not\r\nendorse any commercial entity, product, company, or service, including any entities, products, or services linked within this\r\ndocument. Any reference to specific commercial entities, products, processes, or services by service mark, trademark,\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 17 of 26\n\nmanufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring\r\nagencies.\r\nACKNOWLEDGEMENTS\r\nFortinet and Microsoft contributed to this advisory.\r\nVERSION HISTORY\r\nFebruary 7, 2024: Initial Version.\r\nMarch 7, 2024: Updated Mitigations section to add recommendation on “end of life” technology.\r\nAPPENDIX A: VOLT TYPHOON OBSERVED COMMANDS / LOTL ACTIVITY\r\nSee Table 2 and Table 3 for Volt Typhoon commands and PowerShell scripts observed by the U.S. authoring agencies during\r\nincident response activities. For additional commands used by Volt Typhoon, see joint advisory People's Republic of China\r\nState-Sponsored Cyber Actor Living off the Land to Evade Detection.\r\nTable 2: Volt Typhoon Observed Commands in PowerShell Console History\r\nCommand/Script Description/Use\r\nGet-EventLog security -instanceid 4624 -after\r\n{redacted date} | fl * | Out-File\r\n'C:\\users\\public\\documents\\user.dat'  \r\nPowerShell command extracts security log entries with the\r\nEvent ID 4624 after a specified date. The output is formatted\r\n( fl * ) and saved to user.dat . Potentially used to analyze\r\nlogon patterns and identify potential targets for lateral\r\nmovement.\r\nGet-EventLog security -instanceid 4624 | Where-Object {$_.message.contains('{redacted user\r\naccount}')} | select -First 1 | fl *  \r\nPowerShell command extracts security log entries with the\r\nEvent ID 4624 and filters them to include only those\r\ncontaining a specific user account, selecting the first instance of\r\nsuch an event.\r\nwminc process get name,processid\r\nAppears to be an attempt to use the wmic command but with a\r\nmisspelling ( wminc instead of wmic ). This command, as it\r\nstands, would not execute successfully and would return an error\r\nin a typical Windows environment. This could indicate a mistake\r\nmade during manual input.\r\nwmic process get name,processid  \r\nWMI command lists all running processes with process names\r\nand process IDs. Potentially used to find process IDs needed for\r\nother operations, like memory dumping.\r\ntasklist /v  \r\nCommand displays detailed information about currently running\r\nprocesses, including the name, PID, session number, and\r\nmemory usage.\r\ntaskkill /f /im rdpservice.exe\r\nCommand forcibly terminates the process rdpservice.exe .\r\nPotentially used as a cleanup activity post-exploitation.\r\nping -n 1 {redacted IP address}\r\nCommand sends one ICMP echo request to a specified IP\r\naddress.\r\nping -n 1 -w 1 {redacted IP address}\r\nCommand sends one ICMP echo request to a specified IP\r\naddress with a timeout ( -w ) of 1 millisecond.\r\nnet user\r\nLists all user accounts on the local machine or domain, useful\r\nfor quickly viewing existing user accounts.\r\nquser\r\nquery user\r\nDisplays information about user sessions on a system, aiding in\r\nidentifying active users or sessions.\r\nnet start Lists all active services.\r\ncmd Opens a new instance of the command prompt.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 18 of 26\n\nCommand/Script Description/Use\r\ncd [Redacted Path]\r\nChanges the current directory to a specified path, typically for\r\nnavigating file systems.\r\nRemove-Item .\\Thumbs.db\r\nPowerShell command to delete the Thumbs.db file, possibly for\r\ncleanup or removing traces.\r\nmove .\\Thumbs.db ttt.dat\r\nRelocates and renames the file Thumbs.db in the current\r\ndirectory to ttt.dat within the same directory.\r\ndel .\\Thumbs.db /f /s /q\r\nForce deletes Thumbs.db files from the current directory and all\r\nsubdirectories, part of cleanup operations to erase traces.\r\ndel ??\r\nDeletes files with two-character names, potentially a targeted\r\ncleanup command.\r\ndel /? Displays help information for the del command.\r\nexit Terminates the command prompt session.\r\nipconfig\r\nRetrieves network configuration details, helpful for discovery\r\nand mapping the victim's network.\r\nnet time /dom\r\nQueries or sets the network time for a domain, potentially used\r\nfor reconnaissance or to manipulate system time.\r\nnetstta -ano\r\nIntended as netstat -ano ; a mistyped command indicating a\r\npotential operational error.\r\nnetstat -ano\r\nLists active network connections and processes, helpful for\r\nidentifying communication channels and potential targets.\r\ntype .\\Notes.txt\r\nDisplays the contents of Notes.txt , possibly used for\r\nextracting specific information or intelligence gathering.\r\nlogoff Logs off the current user session.\r\nTable 3: Volt Typhoon Observed PowerShell Scripts\r\nScript\r\nname and\r\nlocation\r\nContents Description/Use\r\nC:\\\r\n{redacted}\\\r\nlogins.ps1\r\n# Find DC list from Active Directory\r\n$DCs = Get-ADDomainController -\r\nFilter *\r\n# Define time for report (default is 1\r\nday)\r\n$startDate = (get-date).AddDays(-1)\r\n# Store successful logon events from\r\nsecurity logs with the specified dates\r\nand workstation/IP in an array\r\nforeach ($DC in $DCs){\r\n$slogonevents = Get-Eventlog -\r\nLogName Security -ComputerName\r\n$DC.Hostname -after $startDate |\r\nwhere {$_.eventID -eq 4624 }}\r\n# Crawl through events; print all logon\r\nhistory with type, date/time, status,\r\nThe script is designed for user logon discovery in a Windows\r\nActive Directory environment. It retrieves a list of DCs and\r\nthen queries security logs on these DCs for successful logon\r\nevents (Event ID 4624) within the last day. The script\r\ndifferentiates between local (Logon Type 2) and remote\r\n(Logon Type 10) logon events. For each event, it extracts and\r\ndisplays details including the logon type, date/time of logon,\r\nstatus, account name, and the workstation or IP address used\r\nfor the logon. Volt Typhoon may be leveraging this script to\r\nmonitor user logon activities across the network, potentially\r\nto identify patterns, gather credentials, or track the\r\nmovement of users and administrators within the network.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 19 of 26\n\nScript\r\nname and\r\nlocation\r\nContents Description/Use\r\naccount name, computer and IP\r\naddress if user logged on remotely\r\n foreach ($e in $slogonevents){\r\n # Logon Successful Events\r\n # Local (Logon Type 2)\r\n if (($e.EventID -eq 4624 ) -and\r\n($e.ReplacementStrings[8] -eq 2)){\r\n write-host \"Type: Local Logon`tDate:\r\n\"$e.TimeGenerated \"`tStatus:\r\nSuccess`tUser:\r\n\"$e.ReplacementStrings[5]\r\n\"`tWorkstation:\r\n\"$e.ReplacementStrings[11]\r\n }\r\n # Remote (Logon Type 10)\r\n if (($e.EventID -eq 4624 ) -and\r\n($e.ReplacementStrings[8] -eq 10)){\r\n write-host \"Type: Remote\r\nLogon`tDate: \"$e.TimeGenerated\r\n\"`tStatus: Success`tUser:\r\n\"$e.ReplacementStrings[5]\r\n\"`tWorkstation:\r\n\"$e.ReplacementStrings[11] \"`tIP\r\nAddress: \"$e.ReplacementStrings[18]\r\n }}\r\nAPPENDIX B: INDICATORS OF COMPROMISE\r\nSee Table 4 for Volt Typhoon IOCs obtained by the U.S. authoring agencies during incident response activities.\r\nNote: See MAR-10448362-1.v1 for more information on this malware.\r\nTable 4: Volt Typhoon Malicious Files and Associated Hashes\r\nFile Name Description MD5 Hashes (SHA256)\r\nBrightmetricAgent.exe\r\nThe file is an\r\nFRP that\r\ncould be\r\nused to\r\nreveal\r\nservers\r\nsituated\r\nbehind a\r\nnetwork\r\nfirewall or\r\nobscured\r\nthrough\r\nNetwork\r\nAddress\r\nfd41134e8ead1c18ccad27c62a260aa6 edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b1\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 20 of 26\n\nFile Name Description MD5 Hashes (SHA256)\r\nTranslation\r\n(NAT).\r\nSMSvcService.exe\r\nThe file is a\r\nWindows\r\nexecutable\r\n\"FRPC”\r\ndesigned to\r\nopen a\r\nreverse\r\nproxy\r\nbetween the\r\ncompromised\r\nsystem and\r\nthe threat\r\nactor(s) C2\r\nserver.\r\nb1de37bf229890ac181bdef1ad8ee0c2 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46d\r\nAPPENDIX C: MITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nSee Table 5 through Table 17 for all referenced threat actor tactics and techniques in this advisory.\r\nTable 5: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Reconnaissance\r\nReconnaissance    \r\nTechnique Title ID Use\r\nGather Victim Host\r\nInformation\r\nT1592\r\nVolt Typhoon conducts extensive pre-compromise reconnaissance. This\r\nincludes web searches, including victim-owned sites, for victim host,\r\nidentity, and network information, especially for information on key\r\nnetwork and IT administrators.\r\nGather Victim Identity\r\nInformation\r\nT1589\r\nVolt Typhoon conducts extensive pre-compromise reconnaissance to learn\r\nabout the target organization’s staff.\r\nGather Victim Identity\r\nInformation: Email\r\nAddresses\r\nT1589.002\r\nVolt Typhoon targets the personal emails of key network and IT staff.\r\nGather Victim Network\r\nInformation\r\nT1590\r\nVolt Typhoon conducts extensive pre-compromise reconnaissance to learn\r\nabout the target organization’s network.\r\nGather Victim Org\r\nInformation\r\nT1591\r\nVolt Typhoon conducts extensive pre-compromise reconnaissance to learn\r\nabout the target organization.\r\nSearch Open\r\nWebsites/Domains\r\nT1593\r\nVolt Typhoon conducts extensive pre-compromise reconnaissance. This\r\nincludes web searches, including victim-owned sites, for victim host,\r\nidentity, and network information, especially for information on key\r\nnetwork and IT administrators.\r\nSearch Victim-Owned\r\nWebsites\r\nT1594\r\nVolt Typhoon conducts extensive pre-compromise reconnaissance. This\r\nincludes web searches, including victim-owned sites, for victim host,\r\nidentity, and network information, especially for information on key\r\nnetwork and IT administrators.\r\nTable 6: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Resource Development\r\nResource\r\nDevelopment\r\n   \r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 21 of 26\n\nResource\r\nDevelopment\r\n   \r\nTechnique Title ID Use\r\nAcquire\r\nInfrastructure: Botnet\r\nT1583.003\r\nVolt Typhoon uses multi-hop proxies for command-and-control infrastructure.\r\nThe proxy is typically composed of Virtual Private Servers (VPSs) or small\r\noffice/home office (SOHO) routers.\r\nCompromise\r\nInfrastructure: Botnet\r\nT1584.005 Volt Typhoon used Cisco and NETGEAR end-of-life SOHO routers implanted\r\nwith KV Botnet malware to support their operations.\r\nCompromise\r\nInfrastructure: Server\r\nT1584.004\r\nVolt Typhoon has redirected specific port traffic to their proxy infrastructure,\r\neffectively converting the PRTG’s Detection Guidance server into a proxy for\r\ntheir C2 traffic.\r\nDevelop Capabilities:\r\nExploits\r\nT1587.004 Volt Typhoon uses publicly available exploit code, but is also adept at\r\ndiscovering and exploiting vulnerabilities as zero days.\r\nObtain Capabilities:\r\nExploits\r\nT1588.005 Volt Typhoon uses publicly available exploit code, but is also adept at\r\ndiscovering and exploiting vulnerabilities as zero days.\r\nTable 7: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Initial Access\r\nInitial Access    \r\nTechnique Title ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190 Volt Typhoon commonly exploits vulnerabilities in networking appliances such as\r\nFortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.\r\nExternal Remote\r\nServices\r\nT1133 Volt Typhoon often uses VPN sessions to securely connect to victim environments,\r\nenabling discreet follow-on intrusion activities.\r\nTable 8: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Execution\r\nExecution    \r\nTechnique Title ID Use\r\nCommand and\r\nScripting Interpreter\r\nT1059\r\nVolt Typhoon uses hands-on-keyboard execution for their malicious activity via\r\nthe command-line.\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\nT1059.001\r\nVolt Typhoon has executed clients via PowerShell.\r\nCommand and\r\nScripting Interpreter:\r\nUnix Shell\r\nT1059.004\r\nVolt Typhoon has used Brightmetricagent.exe , which contains multiplexer\r\nlibraries that can bi-directionally stream data over through NAT networks and\r\ncontains a command-line interface (CLI) library that can leverage command\r\nshells such as PowerShell, Windows Management, Instrumentation (WMI), and\r\nZ Shell (zsh).\r\nWindows\r\nManagement\r\nInstrumentation\r\nT1047\r\nVolt Typhoon has used Windows Management Instrumentation Console\r\n(WMIC) commands.\r\nTable 9: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Persistence\r\nPersistence    \r\nTechnique Title ID Use\r\nValid Accounts T1078 Volt Typhoon primarily relies on valid credentials for persistence.\r\nTable 10: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Privilege Escalation\r\nPrivilege Escalation    \r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 22 of 26\n\nPrivilege Escalation    \r\nTechnique Title ID Use\r\nExploitation for\r\nPrivilege Escalation\r\nT1068\r\nVolt Typhoon first obtains credentials from public-facing appliances after gaining\r\ninitial access by exploiting privilege escalation vulnerabilities in the operating\r\nsystem or network services.\r\nTable 11: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Defense Evasion\r\nDefense Evasion    \r\nTechnique Title ID Use\r\nDirect Volume Access T1006\r\nVolt Typhoon has executed the Windows-native vssadmin command to\r\ncreate a volume shadow copy.\r\nIndicator Removal:\r\nClear Persistence\r\nT1070.009\r\nVolt Typhoon has selectively cleared Windows Event Logs, system logs, and\r\nother technical artifacts to remove evidence of their intrusion activity and\r\nmasquerading file names.\r\nIndicator Removal:\r\nClear Windows Event\r\nLogs\r\nT1070.001\r\nVolt Typhoon has selectively cleared Windows Event Logs, system logs, and\r\nother technical artifacts to remove evidence of their intrusion activity and\r\nmasquerading file names.\r\nIndicator Removal: File\r\nDeletion\r\nT1070.004 Volt Typhoon created systeminfo.dat in C:\\Users\\Public\\Documents , but\r\nsubsequently deleted it.\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nT1036.005\r\nVolt Typhoon has selectively cleared Windows Event Logs, system logs, and\r\nother technical artifacts to remove evidence of their intrusion activity and\r\nmasquerading file names.\r\nModify Registry T1112\r\nVolt Typhoon has used the netsh command, a legitimate Windows\r\ncommand, to create a PortProxy registry modification on the PRTG server.\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nT1027.002\r\nVolt Typhoon has obfuscated FRP client files ( BrightmetricAgent.exe and\r\nSMSvcService.exe ) and the command-line port scanning utility ScanLine by\r\npacking the files with Ultimate Packer for Executables (UPX).\r\nSystem Binary Proxy\r\nExecution\r\nT1218\r\nVolt Typhoon uses hands-on-keyboard activity via the command-line and use\r\nother native tools and processes on systems (often referred to as “LOLBins”),\r\nknown as LOTL, to maintain and expand access to the victim networks.\r\nTable 12: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Credential Access\r\nCredential Access    \r\nTechnique Title ID Use\r\nBrute Force: Password\r\nCracking\r\nT1110.002 Volt Typhoon has exfiltrated NTDS.dit and SYSTEM registry hive to crack\r\npasswords offline.\r\nCredentials from\r\nPassword Stores\r\nT1555\r\nVolt Typhoon has installed browsers saved passwords history, credit card\r\ndetails, and cookies.\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nT1555.003 Volt Typhoon has strategically targeted network administrator web browser\r\ndata, focusing on both browsing history and stored credentials.\r\nOS Credential Dumping:\r\nLSASS Memory\r\nT1003.001\r\nVolt Typhoon used a DLL with MiniDump and the process ID of Local\r\nSecurity Authority Subsystem Service (LSASS) to dump the LSASS process\r\nmemory and obtain credentials.\r\nOS Credential Dumping:\r\nNTDS\r\nT1003.003 Volt Typhoon appears to prioritize obtaining valid credentials by extracting\r\nthe Active Directory database file ( NTDS.dit ).\r\nUnsecured Credentials T1552 Volt Typhoon has obtained credentials insecurely stored on an appliance.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 23 of 26\n\nCredential Access    \r\nTechnique Title ID Use\r\nUnsecured Credentials:\r\nPrivate Keys\r\nT1552.004\r\nVolt Typhoon has accessed a Local State file that contains the Advanced\r\nEncryption Standard (AES) encryption key used to encrypt the passwords\r\nstored in the Chrome browser, which enables the actors to obtain plaintext\r\npasswords stored in the Login Data file in the Chrome browser.\r\nTable 13: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Discovery\r\nDiscovery    \r\nTechnique Title ID Use\r\nAccount Discovery:\r\nLocal Account\r\nT1087.001\r\nVolt Typhoon executed net user and quser for user account information.\r\nApplication Window\r\nDiscovery\r\nT1010\r\nVolt Typhoon created and accessed a file named rult3uil.log on a Domain\r\nController in C:\\Windows\\System32\\ . The rult3uil.log file contained user\r\nactivities on a compromised system, showcasing a combination of window\r\ntitle information and focus shifts, keypresses, and command executions across\r\nGoogle Chrome and Windows PowerShell, with corresponding timestamps.\r\nBrowser Information\r\nDiscovery\r\nT1217\r\nVolt Typhoon has installed browsers saved passwords history, credit card\r\ndetails, and cookies.\r\nFile and Directory\r\nDiscovery\r\nT1083\r\nVolt Typhoon enumerated several directories, including directories containing\r\nvulnerability testing and cyber related content and facilities data, such as\r\nconstruction drawings.\r\nLog Enumeration T1654 Volt Typhoon has captured successful logon events.\r\nNetwork Service\r\nDiscovery\r\nT1046\r\nVolt Typhoon has used commercial tools, LOTL utilities, and appliances\r\nalready present on the system for system information, network service, group,\r\nand user discovery.\r\nPeripheral Device\r\nDiscovery\r\nT1120\r\nVolt Typhoon has obtained the victim's system screen dimension and display\r\ndevices information.\r\nPermission Groups\r\nDiscovery\r\nT1069\r\nVolt Typhoon has used commercial tools, LOTL utilities, and appliances\r\nalready present on the system for system information, network service, group,\r\nand user discovery.\r\nProcess Discovery T1057 Volt Typhoon executed tasklist /v to gather a detailed process listing.\r\nQuery Registry T1012\r\nVolt Typhoon has interacted with a PuTTY application by enumerating\r\nexisting stored sessions.\r\nSoftware Discovery T1518\r\nVolt Typhoon has obtained the victim's list of applications installed on the\r\nvictim's system.\r\nSystem Information\r\nDiscovery\r\nT1082\r\nVolt Typhoon has used commercial tools, LOTL utilities, and appliances\r\nalready present on the system for system information, network service, group,\r\nand user discovery.\r\nSystem Location\r\nDiscovery\r\nT1614 Volt Typhoon has obtained the victim's system current locale.\r\nSystem Network\r\nConfiguration\r\nDiscovery: Internet\r\nConnection Discovery\r\nT1016.001 Volt Typhoon employs ping with various IP addresses to check network\r\nconnectivity and net start to list running services.\r\nSystem Owner/User\r\nDiscovery\r\nT1033\r\nVolt Typhoon has used commercial tools, LOTL utilities, and appliances\r\nalready present on the system for system information, network service, group,\r\nand user discovery.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 24 of 26\n\nDiscovery    \r\nTechnique Title ID Use\r\nSystem Service\r\nDiscovery\r\nT1007\r\nVolt Typhoon employs ping with various IP addresses to check network\r\nconnectivity and net start to list running services.\r\nSystem Time\r\nDiscovery\r\nT1124 Volt Typhoon has obtained the victim's system timezone.\r\nTable 14: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Lateral Movement\r\nLateral Movement    \r\nTechnique Title ID Use\r\nRemote Service\r\nSession Hijacking\r\nT1563\r\nVolt Typhoon potentially had access to a range of critical PuTTY profiles,\r\nincluding those for water treatment plants, water wells, an electrical substation,\r\noperational technology systems, and network security devices. This would\r\nenable them to access these critical systems.\r\nRemote Services:\r\nCloud Services\r\nT1021.007\r\nDuring the period of Volt Typhoon’s known network presence, there were\r\nanomalous login attempts to an Azure tenant potentially using credentials\r\npreviously compromised from theft of NTDS.dit .\r\nRemote Services:\r\nRemote Desktop\r\nProtocol\r\nT1021.001\r\nVolt Typhoon has moved laterally to the Domain Controller via an interactive\r\nRDP session using a compromised account with domain administrator\r\nprivileges.\r\nUse Alternate\r\nAuthentication\r\nMaterial\r\nT1550\r\nVolt Typhoon may be capable of using other methods such as Pass the Hash or\r\nPass the Ticket for lateral movement.\r\nValid Accounts:\r\nCloud Accounts\r\nT1078.004\r\nDuring the period of Volt Typhoon’s known network presence, there were\r\nanomalous login attempts to an Azure tenant potentially using credentials\r\npreviously compromised from theft of NTDS.dit .\r\nTable 15: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Collection\r\nCollection    \r\nTechnique Title ID Use\r\nArchive\r\nCollected Data\r\nT1560\r\nVolt Typhoon collected sensitive information obtained from a file server in multiple\r\nzipped files.\r\nArchive\r\nCollected Data:\r\nArchive via\r\nUtility\r\nT1560.001\r\nVolt Typhoon has compressed and archived the extracted ntds.dit and\r\naccompanying registry files (by executing ronf.exe , which was likely a renamed\r\nversion of rar.exe ).\r\nData Staged T1074\r\nVolt Typhoon accessed the file C:\\Users\\{redacted}\\Downloads\\History.zip ,\r\nwhich presumably contained data from the User Data directory of the user’s\r\nChrome browser, which the actors likely saved in the Downloads directory for\r\nexfiltration.\r\nScreen Capture T1113\r\nVolt Typhoon has obtained a screenshot of the victim's system using two libraries\r\n( gdi32.dll and gdiplus.dll )\r\nTable 16: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Command and Control\r\nCommand and\r\nControl\r\n   \r\nTechnique\r\nTitle\r\nID Use\r\nEncrypted\r\nChannel\r\nT1573\r\nVolt Typhoon has setup FRP clients on a victim’s corporate infrastructure to establish\r\ncovert communications channels for command and control.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 25 of 26\n\nCommand and\r\nControl\r\n   \r\nTechnique\r\nTitle\r\nID Use\r\nIngress Tool\r\nTransfer\r\nT1105\r\nVolt Typhoon uses legitimate, but outdated versions of network admin tools. For\r\nexample, in one confirmed compromise, actors downloaded an outdated version of\r\ncomsvcs.dll , on the DC in a non-standard folder.\r\nProxy T1090\r\nVolt Typhoon has setup FRP clients on a victim’s corporate infrastructure to establish\r\ncovert communications channels for command and control.\r\nProxy: Internal\r\nProxy\r\nT1090.001 Volt Typhoon has used the netsh command, a legitimate Windows command, to\r\ncreate a PortProxy registry modification on the PRTG server.\r\nProxy: Multi-hop ProxyT1090.003\r\nVolt Typhoon uses multi-hop proxies for command-and-control infrastructure.\r\nTable 17: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise – Exfiltration\r\nExfiltration    \r\nTechnique Title ID Use\r\nExfiltration Over Alternative Protocol T1048 Volt Typhoon exfiltrated files via Server Message Block (SMB).\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a\r\nPage 26 of 26\n\n https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a \nResource \nDevelopment \nTechnique Title ID Use \n Volt Typhoon uses multi-hop proxies for command-and-control infrastructure.\nAcquire T1583.003 \n The proxy is typically composed of Virtual Private Servers (VPSs) or small\nInfrastructure: Botnet \n office/home office (SOHO) routers. \nCompromise T1584.005 Volt Typhoon used Cisco and NETGEAR end-of-life SOHO routers implanted\nInfrastructure: Botnet with KV Botnet malware to support their operations. \n Volt Typhoon has redirected specific port traffic to their proxy infrastructure,\nCompromise T1584.004 \n effectively converting the PRTG’s Detection Guidance server into a proxy for\nInfrastructure: Server \n their C2 traffic. \nDevelop Capabilities: T1587.004 Volt Typhoon uses publicly available exploit code, but is also adept at\nExploits discovering and exploiting vulnerabilities as zero days.\nObtain Capabilities: T1588.005 Volt Typhoon uses publicly available exploit code, but is also adept at\nExploits discovering and exploiting vulnerabilities as zero days.\n Table 7: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise- Initial Access\nInitial Access \nTechnique Title ID Use \nExploit Public-Facing T1190 Volt Typhoon commonly exploits vulnerabilities in networking appliances such as\nApplication Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco.\nExternal Remote T1133 Volt Typhoon often uses VPN sessions to securely connect to victim environments,\nServices enabling discreet follow-on intrusion activities. \n Table 8: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise -Execution\nExecution \nTechnique Title ID Use \nCommand and Volt Typhoon uses hands-on-keyboard execution for their malicious activity via\n T1059 \nScripting Interpreter the command-line. \nCommand and \n T1059.001 \nScripting Interpreter: Volt Typhoon has executed clients via PowerShell. \nPowerShell \n Volt Typhoon has used Brightmetricagent.exe , which contains multiplexer\nCommand and T1059.004 libraries that can bi-directionally stream data over through NAT networks and\nScripting Interpreter: contains a command-line interface (CLI) library that can leverage command\nUnix Shell shells such as PowerShell, Windows Management, Instrumentation (WMI), and\n Z Shell (zsh). \nWindows Volt Typhoon has used Windows Management Instrumentation Console\nManagement T1047 \n (WMIC) commands. \nInstrumentation \n Table 9: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise- Persistence\nPersistence \nTechnique Title ID Use \nValid Accounts T1078 Volt Typhoon primarily relies on valid credentials for persistence.\nTable 10: Volt Typhoon actors ATT\u0026CK Techniques for Enterprise-Privilege Escalation\nPrivilege Escalation \nTechnique Title ID Use \n Page 22 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a" ], "report_names": [ "aa24-038a" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434303, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c07fcc8dca923a0b97859c232caa47c7b7a7493.pdf", "text": "https://archive.orkl.eu/6c07fcc8dca923a0b97859c232caa47c7b7a7493.txt", "img": "https://archive.orkl.eu/6c07fcc8dca923a0b97859c232caa47c7b7a7493.jpg" } }