WHAT is VOLT TYPHOON?

The more correct question is WHO is Volt Typhoon? Volt Typhoon is a state-supported Chinese cyber operation. As detailed in an advisory released 8 Feb 2024, the ACSC reported that Volt Typhoon has compromised thousands of internet-connected devices as part of a larger effort to infiltrate western critical infrastructure, including naval ports, internet service providers, communications services, and utilities.

The operation works by exploiting vulnerabilities in small and end-of-life routers, firewalls, and virtual private networks (VPNs), often using administrator credentials and stolen passwords, or taking advantage of outmoded tech that hasn’t had regular security updates. It uses “living off the land” techniques, whereby their malware only uses existing resources in the operating system of what it’s targeting, rather than introducing a new (and more discoverable) file.

FBI director Christopher Wray described Volt Typhoon as ‘the defining threat of our generation’. Rather than stealing secrets, US and allied intelligence services said it was focused on “pre-positioning” itself for future acts of sabotage.

According to a report by CISA, the National Security Agency, and the FBI, Volt Typhoon hackers have kept this access for the last five years, and even though they only focused on US infrastructure, the breach probably impacted the US’s “Five Eyes” partners of Canada, Australia, New Zealand, and the UK.

HOW DOES it WORK?

Volt Typhoon exploits security flaws in a few ways:

  1. Exploiting Vulnerabilities: It exploits vulnerabilities in small and end-of-life routers, firewalls, and virtual private networks (VPNs). These are often devices that use administrator credentials and/or have not had regular security updates. It’s also known to exploit public-facing Fortinet FortiGuard devices, ManageEngine ADSelfService Plus CVE-2021-40539 RCE, NETGEAR, Citrix, Cisco and FatPipe CVE-2021-27860 RCE vulnerabilities for initial access.
  2. Living off the Land: Volt Typhoon uses a technique known as “living off the land”. This means the malware only uses existing resources in the operating system of what it’s targeting, rather than introducing a new (and more discoverable) file.
  3. Abusing Legitimate Software: It abuses legitimate software and network administration tools as a means of hiding its nefarious traffic.
  4. Pre-compromise Reconnaissance: It performs extensive pre-compromise reconnaissance and exploitation of known zero-day vulnerabilities in public-facing network appliances.

These techniques allow Volt Typhoon to gain initial access to their target’s environment via stolen credentials of valid accounts, and maintain this access for an extended period of time.

HOW to PROTECT YOUR ORGANISATION?

The ACSC advises that the following actions are taken as soon as possible to mitigate Volt Typhoon activity:
  • Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
  • Implement phishing-resistant MFA.
  • Ensure logging is turned on for application, access, and security logs and store logs in a central system.
In addition, the advisory provides detailed mitigation recommendations for IT network administrators. The ACSC provides a comprehensive list of recommendations for detecting if your organisation has been breached by Volt Typhoon that includes:
  • Applying ‘Living off the Land’ detection best practices
  • Reviewing application, security, and system event logs
  • Monitoring and reviewing OT system logs
  • Using gait to detect possible network proxy activities
  • Reviewing logins for impossible travel, and
  • Reviewing standard directories for unusual files
If your organisation has been breached, they provide a specific incident response approach that instructs an organisation to:
  • Sever the enterprise network from the internet.
  • Reset credentials of privileged and non-privileged accounts within the trust boundary of each compromised account.
  • Audit all network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes.
  • Report the compromise to an authoring agency.
  • For organizations with cloud or hybrid environments, apply best practices for identity and credential access management.
  • Reconnect to the internet.
  • Minimize and control use of remote access tools and protocols.
  • Consider sharing technical information with an authoring agency and/or a sector specific information sharing and analysis centre.

The Essential Eight

If your organisation’s security follows the Essential Eight security framework, you have probably already defended yourself against Volt Typhoon, because the three key mitigation actions that the ACSC recommends for Volt Typhoon are part of the Essential Eight. If your organisation doesn’t follow the Essential Eight, Frame Secure can quickly evaluate your security risks and give you remediation advice. Fill in the Contact Information below and one of our consultants will get in touch with you.