The US Cybersecurity and Infrastructure Security Agency (CISA) has an urgent message for US businesses: watch out for Volt Typhoon, a threat actor sponsored by the People’s Republic of China (PRC).

The agency's joint Cybersecurity Advisory (CSA) published last week highlights a cluster of tactics, techniques, and procedures (TTPs) associated with the cyber actor—including their use of living off the land (LOTL) techniques.

In this blog, we'll review Volt Typhoon, dig into how they evade detection, discuss CISA's protective recommendations, and see how Malwarebytes EDR can help eliminate such threats.

Who is Volt Typhoon?

Given their ties to the Chinese government, it’s fair to label Volt Typhoon as an Advanced Persistent Threat (APT) group.

Well-funded and made up of an elite squadron of hackers, APT groups target high-value entities like governments, large corporations, or critical infrastructure. They often deploy multi-stage, multi-vector approaches with a high degree of obfuscation and persistence.

Volt Typhoon is no exception.

Since their arrival on the scene in mid-2021, Volt Typhoon has targeted several critical infrastructure organizations in Guam and elsewhere in the United States. Their victims come from a wide-range of industries, including communications, government, information technology (IT), education, and more.

Observed behavior suggests that the aim of Volt Typhoon is, like most APT groups, not a quick hit but a long-term presence within a system, allowing them to gather as much information as possible while remaining undetected.

Now that we know the basics of who Volt Typhoon is and what they’re after, let's dive into the specifics of their tools, techniques, and procedures (TTPs).

How Volt Typhoon evades detection

At the heart of Volt Typhoon’s espionage campaigns are their use of living off the land (LOTL) attacks, which are instances when attackers leverage legitimate tools to evade detection.

The fact that so much of the CISA advisory revolves around Volt Typhoon’s use of LOTL techniques emphasizes that these types of threats are a serious concern. By mimicking normal system behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities.

Script Block Logging records all blocks of code as they’re executed by PowerShell, which could you point to suspicious activity. Source.

Some of the built-in tools Volt Typhoon uses are wmic, ntdsutil, netsh, and PowerShell.

Let’s look at two examples of how Volt Typhoon uses LOTL attacks at different stages in the attack chain.

LOTL Example #1: Reconnaissance

Volt Typhoon gathers information about local drives using the wmic command, which is a part of the legitimate Windows Management Instrumentation (WMI) toolset.

This command line tool lets them gather details like drive letter, filesystem type, free space, and volume name without needing administrative privileges.

Understanding the storage layout and capacity of the host machine in this way can, for example, help them tailor their tools and techniques to the specific system.

cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename"

LOTL Example #2: Credential Access

Volt Typhoon attempts to capture two vital assets from Windows Domain Controllers (DCs): the ntds.dit file and the SYSTEM registry hive. Both of these contain a wealth of data, including user details, group affiliations, and encrypted passwords—all of which can be goldmines for unauthorized actors.

To access this information, they utilize the built-in Windows service called Volume Shadow Copy Service. This service helps them create clones of the ntds.dit file and the SYSTEM registry hive, both typically locked due to their importance.

These cloned copies allow Volt Typhoon to avoid modifying the original files, thereby maintaining stealth. By acquiring these files, the attackers can work towards decrypting passwords offline without raising alarms.

cmd /c vssadmin create shadow /for=C: > C:\Windows\Temp\<filename>.tmp

cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\NTDS\ntds.ditC:\Windows\Temp > C:\Windows\Temp\<filename>.tmp

CISA best practices

Uncovering LOTL attacks such as the type that Volt Typhoon uses requires picking up on subtle anomalies or patterns in system behaviors.

Likewise, CISAs advice to businesses emphasizes the importance of enhancing detection of potential LOTL attacks through robust logging mechanisms, inspecting abnormal account activities, and more:

CISA Advice Description
Enhance monitoring and logging Use advanced monitoring systems to track unusual IP addresses, abnormal account activity, and suspicious process creations. Enable "audit process creation," "include command line in process creation events," WMI Tracing, and deep PowerShell logging in Windows security logs.
Harden systems and networks Improve domain controller security and limit port proxy usage. Regularly check firewall configurations and keep a hardened centralized logging server, preferably on a separate network.
Maintain regular checks Regularly validate the use of administrator privileges and scrutinize all log clearances (Event ID 1102 entries) for intrusion signs. Enable consistent logging on edge devices and network-level logging to identify potential exploitation and lateral movement.

Malwarebytes EDR

Suspicious Activity monitoring with Malwarebytes can detect possible LOTL techniques like the type Volt Typhoon uses. Let's take the the LOTL Example #2—Credential Access—we explained earlier.

As we described, the actor is trying to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking, which is an example of OS Credential Access defined as T1003 by MITRE.

Using Malwarebytes EDR, we can find suspicious activity like this and quickly isolate the endpoint with which it's associated.

The "dumping" occurs when the `ntds.dit file` and the SYSTEM registry hive are copied from the original (and typically inaccessible due to being locked) location to the `C:\Windows\Temp directory`. This process is effectively extracting or "dumping" the data into a new, more accessible location.

Luckily, Malwarebytes EDR alerted us to this suspicious process and, after investigation, we were able to remediate the endpoint with which the suspicious activity was associated with. 

Responding to nation-state sponsored attacks quickly and effectively

The recent information on Volt Typhoon's activities has catapulted them to the top of cybersecurity concerns for businesses and organizations across the United States.

Sponsored by the Chinese state, Volt Typhoon employs a gamut of stealthy techniques that make their activities challenging to detect. Chief among these tactics is the use of Living Off the Land (LOTL) techniques and leveraging built-in tools—like wmic, ntdsutil, netsh, and PowerShell—for infiltration and persistence within target networks.

To combat these advanced persistent threats, businesses should pair CISA's recommendations with tools like Malwarebytes EDR to identify and isolate the suspicious activities typical of LOTL attacks.

For organizations without the expertise to manage EDR solutions, Managed Detection and Response (MDR) services are also an attractive option.

MDR services offer access to experienced security analysts who can monitor and respond to threats 24/7, detect and respond to APT threats like Volt Typhoon quickly and effectively, and provide ongoing tuning and optimization of EDR solutions to ensure maximum protection.

Stop APT attacks today