Cyber Threat Report: 'PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure'

Report Author	CISA
Publication Date	2024-02-07
Original Reporting	Source
Attributed to Nation	China
Related Intrusion Sets	Volt Typhoon
Identified CVEs	CVE-2022-42475
Victim Sectors	Telecommunications, Energy, Utilities, Water, Transportation

Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber attacks carried out by Volt Typhoon against critical infrastructure organizations in the US and it's territories, including Guam. The report describes the tactics, techniques and procedures (TTPs) used by Volt Typhoon, including the use of extensive pre-compromise reconnaissance, initial access through exploitation of vulnerabilities in public-facing network appliances and living-off-the-land techniques.

Cyber Threat Graph Context

Explore how this report relates to the wider threat graph

Mitigations to defend against the techniques in this report

Identified MITRE ATT&CK Techniques

ATT&CK ID	Title	Associated Tactics
T1592	Gather Victim Host Information	Reconnaissance
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1090.003	Multi-hop Proxy	Command and Control
T1090.001	Internal Proxy	Command and Control
T1090	Proxy	Command and Control
T1105	Ingress Tool Transfer	Command and Control
T1573	Encrypted Channel	Command and Control
T1113	Screen Capture	Collection
T1074	Data Staged	Collection
T1560.001	Archive via Utility	Collection
T1560	Archive Collected Data	Collection
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1550	Use Alternate Authentication Material	Defense Evasion, Lateral Movement
T1021.001	Remote Desktop Protocol	Lateral Movement
T1021.007	Cloud Services	Lateral Movement
T1563	Remote Service Session Hijacking	Lateral Movement
T1124	System Time Discovery	Discovery
T1007	System Service Discovery	Discovery
T1033	System Owner/User Discovery	Discovery
T1016.001	Internet Connection Discovery	Discovery
T1614	System Location Discovery	Discovery
T1082	System Information Discovery	Discovery
T1518	Software Discovery	Discovery
T1012	Query Registry	Discovery
T1057	Process Discovery	Discovery
T1069	Permission Groups Discovery	Discovery
T1120	Peripheral Device Discovery	Discovery
T1046	Network Service Discovery	Discovery
T1654	Log Enumeration	Discovery
T1083	File and Directory Discovery	Discovery
T1217	Browser Information Discovery	Discovery
T1010	Application Window Discovery	Discovery
T1087.001	Local Account	Discovery
T1552.004	Private Keys	Credential Access
T1552	Unsecured Credentials	Credential Access
T1003.003	NTDS	Credential Access
T1003.001	LSASS Memory	Credential Access
T1555.003	Credentials from Web Browsers	Credential Access
T1555	Credentials from Password Stores	Credential Access
T1110.002	Password Cracking	Credential Access
T1218	System Binary Proxy Execution	Defense Evasion
T1027.002	Software Packing	Defense Evasion
T1112	Modify Registry	Defense Evasion
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1070.004	File Deletion	Defense Evasion
T1070.001	Clear Windows Event Logs	Defense Evasion
T1070.009	Clear Persistence	Defense Evasion
T1006	Direct Volume Access	Defense Evasion
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1047	Windows Management Instrumentation	Execution
T1059.004	Unix Shell	Execution
T1059.001	PowerShell	Execution
T1059	Command and Scripting Interpreter	Execution
T1133	External Remote Services	Initial Access, Persistence
T1190	Exploit Public-Facing Application	Initial Access
T1588.005	Exploits	Resource Development
T1587.004	Exploits	Resource Development
T1584.004	Server	Resource Development
T1584.005	Botnet	Resource Development
T1583.003	Virtual Private Server	Resource Development
T1594	Search Victim-Owned Websites	Reconnaissance
T1593	Search Open Websites/Domains	Reconnaissance
T1591	Gather Victim Org Information	Reconnaissance
T1590	Gather Victim Network Information	Reconnaissance
T1589.002	Email Addresses	Reconnaissance
T1589	Gather Victim Identity Information	Reconnaissance

Cyber Threat Report: 'PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure'

Cyber Threat Graph Context

Mitigations to defend against the techniques in this report

Pre-compromise

Network Intrusion Prevention

Restrict File and Directory Permissions

Filter Network Traffic

User Account Management

Data Loss Prevention

Network Segmentation

SSL/TLS Inspection

Audit

User Training

Active Directory Configuration

Privileged Account Management

Account Use Policies

Multi-factor Authentication

Password Policies

Limit Access to Resource Over Network

Disable or Remove Feature or Program

Operating System Configuration

Encrypt Sensitive Information

Update Software

Behavior Prevention on Endpoint

Credential Access Protection

Privileged Process Integrity

Execution Prevention

Exploit Protection

Antivirus/Antimalware

Restrict Registry Permissions

Code Signing

Remote Data Storage

Threat Intelligence Program

Application Isolation and Sandboxing

Application Developer Guidance

Restrict Web-Based Content

Vulnerability Scanning

Identified MITRE ATT&CK Techniques