Volt Typhoon

Actor Type	Nation State
Attributed to Nation	China
Directly Linked Intrusion Sets	Insidious Taurus , VOLTZITE , KOSTOVITE , UNC2630

Volt Typhoon is a cyber intrusion set first identified by Microsoft. Threat researchers at Microsoft state that the group has been active since 2021, targeting critical infrastructure and employing living-off-the-land techniques to achieve their objectives.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

Volt Typhoon Threat Reports

Report

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...

View Source

Report

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

ATT&CK ID	Title	Associated Tactics
T1592	Gather Victim Host Information	Reconnaissance
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1090.003	Multi-hop Proxy	Command and Control
T1090.001	Internal Proxy	Command and Control
T1090	Proxy	Command and Control
T1105	Ingress Tool Transfer	Command and Control
T1573	Encrypted Channel	Command and Control
T1113	Screen Capture	Collection
T1074	Data Staged	Collection
T1560.001	Archive via Utility	Collection
T1560	Archive Collected Data	Collection
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1550	Use Alternate Authentication Material	Defense Evasion, Lateral Movement
T1021.001	Remote Desktop Protocol	Lateral Movement
T1021.007	Cloud Services	Lateral Movement
T1563	Remote Service Session Hijacking	Lateral Movement
T1124	System Time Discovery	Discovery
T1007	System Service Discovery	Discovery
T1033	System Owner/User Discovery	Discovery
T1016.001	Internet Connection Discovery	Discovery
T1614	System Location Discovery	Discovery
T1082	System Information Discovery	Discovery
T1518	Software Discovery	Discovery
T1012	Query Registry	Discovery
T1057	Process Discovery	Discovery
T1069	Permission Groups Discovery	Discovery
T1120	Peripheral Device Discovery	Discovery
T1046	Network Service Discovery	Discovery
T1654	Log Enumeration	Discovery
T1083	File and Directory Discovery	Discovery
T1217	Browser Information Discovery	Discovery
T1010	Application Window Discovery	Discovery
T1087.001	Local Account	Discovery
T1552.004	Private Keys	Credential Access
T1552	Unsecured Credentials	Credential Access
T1003.003	NTDS	Credential Access
T1003.001	LSASS Memory	Credential Access
T1555.003	Credentials from Web Browsers	Credential Access
T1555	Credentials from Password Stores	Credential Access
T1110.002	Password Cracking	Credential Access
T1218	System Binary Proxy Execution	Defense Evasion
T1027.002	Software Packing	Defense Evasion
T1112	Modify Registry	Defense Evasion
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1070.004	File Deletion	Defense Evasion
T1070.001	Clear Windows Event Logs	Defense Evasion
T1070.009	Clear Persistence	Defense Evasion
T1006	Direct Volume Access	Defense Evasion
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1047	Windows Management Instrumentation	Execution
T1059.004	Unix Shell	Execution
T1059.001	PowerShell	Execution
T1059	Command and Scripting Interpreter	Execution
T1133	External Remote Services	Initial Access, Persistence
T1190	Exploit Public-Facing Application	Initial Access
T1588.005	Exploits	Resource Development
T1587.004	Exploits	Resource Development
T1584.004	Server	Resource Development
T1584.005	Botnet	Resource Development
T1583.003	Virtual Private Server	Resource Development
T1594	Search Victim-Owned Websites	Reconnaissance
T1593	Search Open Websites/Domains	Reconnaissance
T1591	Gather Victim Org Information	Reconnaissance
T1590	Gather Victim Network Information	Reconnaissance
T1589.002	Email Addresses	Reconnaissance
T1589	Gather Victim Identity Information	Reconnaissance
T1090.002	External Proxy	Command and Control
T1016	System Network Configuration Discovery	Discovery
T1069.002	Domain Groups	Discovery
T1069.001	Local Groups	Discovery
T1003	OS Credential Dumping	Credential Access
T1110.003	Password Spraying	Credential Access
T1110	Brute Force	Credential Access
T1070	Indicator Removal	Defense Evasion
T1505.003	Web Shell	Persistence
T1059.003	Windows Command Shell	Execution

Volt Typhoon

Cyber Threat Graph Context

Volt Typhoon Threat Reports

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

References

www.cisa.gov

www.microsoft.com

hub.dragos.com

www.cisa.gov

unit42.paloaltonetworks.com

MITRE ATT&CK Techniques