Volt Typhoon’s Chinese-State Sponsored Attack on U.S. Critical infrastructure
- Feb 12, 2024
- Michelangelo Sidagni
The U.S. government this week said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years.
CISA, the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) confirming that PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. These agencies also published a supplemental piece discussing Identifying and Mitigating Living-off-the-Land Techniques.
Who is Volt Typhoon? They are a malicious group of threat actors sponsored by the People’s Republic of China. This stealthy cyber espionage group is believed to be active since June 2021. They have also been called Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite. Volt Typhoon’s choice of targets and pattern of behavior are not consistent with traditional cyber espionage or intelligence gathering operations.
The U.S. authoring agencies stated with high confidence that “Volt Typhoon actors are pre-positioning themselves on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure.” We believe this will be carried out via lateral movement to OT assets to disrupt functions.
Target industries of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam.
Based on a May 2023 report from The Hacker News, this hacking crew managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam for extended periods of time sans getting detected by principally leveraging living-off-the-land (LotL) techniques.
After performing reconnaissance on the external attack surfaces, the hacking group exploited highly publicized vulnerabilities for the purpose of gaining an initial foothold on the organization’s public facing assets.
According to Crowdstrike’s original report on the matter, “The adversary consistently employed ManageEngine SelfService Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement.”
An analysis of the group’s modus operandi has revealed an emphasis on operational security, carefully using an extensive set of open-source tools against a limited number of victims to carry out long-term malicious acts.
In one unsuccessful incident targeting an unspecified customer, the actor targeted the Zoho ManageEngine ADSelfService Plus service running on an Apache Tomcat server to trigger the execution of suspicious commands pertaining to process enumeration and network connectivity, among others.
“Vanguard Panda’s (Volt Typhoon) actions indicated a familiarity with the target environment, due to the rapid succession of their commands, as well as having specific internal hostnames and IPs to ping, remote shares to mount, and plaintext credentials to use for WMI,” said CrowdStrike.
A closer examination of the Tomcat access logs unearthed several HTTP POST requests to /html/promotion/selfsdp.jspx. This is a web shell that is camouflaged as the legitimate identity security solution to sidestep detection.
The web shell is believed to have been deployed nearly six months before the aforementioned hands-on-keyboard activity. This is indicative of extensive prior recon of the target network.
While it’s not immediately clear how Vanguard Panda (Volt Typhoon) managed to breach the ManageEngine environment, all signs point to the exploitation of CVE-2021-40539. This is a critical authentication bypass flaw with resultant remote code execution.
After gaining a foothold in the public-facing assets using highly-publicized exploitable vulnerabilities, the hacking group proceeded to extract administrative credentials from the target. They established a VPN C2 into the environment using those credentials, so they could come back to proceed on their internal network reconnaissance.
The hacking group then proceeded to move using living-off-the-land (LotL) techniques. By logging into various network infrastructure hosts using administrative credentials, they sought to gather other administrative credentials until a domain administrator user credentials were found. With those credentials, the Domain Controller was then compromised and the NTDS.dit and the SYSTEM registry hive were downloaded.
Using a simple password cracking attack, additional domain credentials were then discovered allowing the hacking group to establish a deeper foothold in the network. They were able to compromise File servers, other domain controllers, and Vmware vCenter servers. This foothold would then be used as a jump-off ground to the OT assets networks.
This highly sophisticated attack path shows the importance of good vulnerability management and configuration management practices.
First of all, it is of paramount importance to prioritize the fixing of critical and highly exploited vulnerabilities on publicly-exposed assets. Especially those used to gain administrative access into the network. In the sea of vulnerabilities, those are the vulnerabilities you should focus your precious remediation efforts on.
For the persistence and C2 attacks, it is important to implement strong logging facilities at the network edge (VPN) and at the domain controller level. This was already highlighted by the CISA in their news release and paper on – Identifying and Mitigating Living-off-the-Land Techniques.
Configurations such as the following would prevent most of the lateral movement and living-off-the-land-attacks:
For a comprehensive list of CISA recommendations, see their paper on network and Active Directory hardening.
As you can see by this high-profile attack path scenario, it is important to protect the organization by prioritizing remedial actions in the areas of exploitable vulnerabilities especially on Internet-exposed and shadow assets and assets that are part of your network infrastructure. It is also important to monitor the network for lateral movement attacks using compromised administrative accounts and LOL (Living-off-the-Land) techniques by monitoring the calls on LOLBins (binaries) mostly used by attackers.
Also it is important to harden the Active Directory environment with best practice security configurations.
All these are remedial actions that point not only to the mostly exploited vulnerabilities but also to the context and configuration of the networks where the exploitation is taking place.
To unify all of these threat exposures, we recommend customers consider implementing a modern Cyber Threat Exposure Management platform.