Volt Typhoon

Threat Actor updated 5 months ago (2024-11-29T14:53:38.672Z)

Download STIX

Preview STIX

Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments of organizations across multiple sectors including water, energy, telecommunications, and transportation. The group has demonstrated strong operational security and sophisticated techniques such as obfuscating their malware and performing reconnaissance and lateral movement within compromised networks. Their activities suggest an intent to pre-position themselves on these networks for potential disruptive or destructive cyberattacks during a major crisis or conflict with the U.S. The group is also implicated in exploiting zero-day vulnerabilities, notably CVE-2023-27997, which was used against FortiOS/FortiProxy. This vulnerability was also exploited by another threat group, Earth Kasha, suggesting that these zero-day vulnerabilities may be shared among China-nexus actors or potentially provided by third-party access brokers. However, despite this similarity, the post-exploitation tactics, techniques, and procedures (TTPs) and toolsets used by Volt Typhoon and Earth Kasha are markedly different. Despite not using ransomware itself, Volt Typhoon benefits from the Ransomware-as-a-Service (RaaS) ecosystem, where ransom payments fund the development of advanced tools, escalating attack risks. The STRIKE Team's report concludes that as Volt Typhoon's botnet spreads and its tactics deepen, governments and corporations must urgently address weaknesses in legacy systems, public cloud infrastructures, and third-party networks. Without decisive action, the silent threat posed by Volt Typhoon could trigger a critical infrastructure crisis driven by unresolved vulnerabilities.

Description last updated: 2024-11-25T13:41:32.119Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BRONZE SILHOUETTE is a possible alias for Volt Typhoon. Bronze Silhouette, also known as Volt Typhoon, is a state-sponsored cyberespionage group believed to be operating on behalf of the People's Republic of China (PRC). Notorious for its sophisticated and aggressive cyber tactics, Bronze Silhouette has been implicated in compromising critical infrastruc	6
Insidious Taurus is a possible alias for Volt Typhoon. Insidious Taurus is a potent malware linked to the cyberespionage group Volt Typhoon, also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, and Voltzite. This group, believed to be state-sponsored by the People's Republic of China (PRC), has been implicated in numerous cyberattacks aga	4
APT41 is a possible alias for Volt Typhoon. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	4
Vanguard Panda is a possible alias for Volt Typhoon. Vanguard Panda, also known as Volt Typhoon, Bronze Silhouette, Insidious Taurus, and APT41, is a cyberespionage group linked to the Chinese government. Since mid-2021, this threat actor has targeted critical infrastructure sectors including manufacturing, utility, maritime, and government entities i	3
APT31 is a possible alias for Volt Typhoon. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by	3
Voltzite is a possible alias for Volt Typhoon. Voltzite, also known as Volt Typhoon, Bronze Silhouette, Vanguard Panda, and UNC3236, is a threat actor that has been linked to the People's Republic of China. The group targets operational technology (OT) networks across multiple critical infrastructure sectors, including electric power generation,	3
Hive is a possible alias for Volt Typhoon. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	2
Sandworm is a possible alias for Volt Typhoon. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Botnet

State Sponso...

Apt

Exploit

Proxy

CISA

Zero Day

Reconnaissance

Vulnerability

LOTL

Fortinet

Ransomware

Windows

Vpn

Known Exploi...

Lateral Move...

Webshell

Fbi

Espionage

Exploits

Chinese

Fortiguard

Microsoft

Fortigate

Versa

Source

China

Infiltration

exploited

Fortios

Cybercrime

Web Shell

Apache

Manageengine

Government

Payload

Tool

Ics

Mandiant

Command and ...

Credentials

Chromium

Chrome

Ivanti

Rootkit

Sophos

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Flax Typhoon Threat Actor is associated with Volt Typhoon. Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, go	Unspecified	3
The Salt Typhoon Threat Actor is associated with Volt Typhoon. Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a threat actor linked to China's Ministry of State Security. Active since at least 2020, this advanced persistent threat (APT) group has a history of targeting U.S. systems for intelligence gathering, particularl	Unspecified	3
The Winnti Threat Actor is associated with Volt Typhoon. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such	Unspecified	3
The BlackTech Threat Actor is associated with Volt Typhoon. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privat	Unspecified	2
The APT29 Threat Actor is associated with Volt Typhoon. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	Unspecified	2
The threatActor Unc3236 is associated with Volt Typhoon.	Unspecified	2
The Mustang Panda Threat Actor is associated with Volt Typhoon. Mustang Panda, a China-aligned Advanced Persistent Threat (APT) group, has been identified as a significant cyber threat actor involved in a series of malicious activities. Notably, Mustang Panda was found to be associated with the BRONZE PRESIDENT phishing lure, which delivered PlugX and used modif	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-27997 Vulnerability is associated with Volt Typhoon. CVE-2023-27997 is a critical vulnerability (with a CVSS score of 9.2) in FortiOS and FortiProxy, which could lead to remote code execution (RCE). This flaw, discovered in the software design or implementation, was reportedly exploited by Volt Typhoon, a state-sponsored actor based in China, as part	Unspecified	4
The CVE-2022-40684 Vulnerability is associated with Volt Typhoon. CVE-2022-40684 is a significant software vulnerability identified in Fortinet devices, specifically relating to an authentication bypass flaw. This flaw in the software design or implementation allows threat actors to exploit the vulnerability, compromising network security and providing unauthorize	Unspecified	2
The vulnerability CVE-2024-39717 is associated with Volt Typhoon.	Unspecified	2

Source Document References

Information about the Volt Typhoon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	21 hours ago	Security Affairs newsletter Round 520 by Pierluigi Paganini – INTERNATIONAL EDITION
Krebs on Security	6 days ago	Trump Revenge Tour Targets Cyber Leaders, Elections
Securityaffairs	8 days ago	Security Affairs newsletter Round 519 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	8 days ago	China admitted its role in Volt Typhoon cyberattacks on U.S. infrastructure
InfoSecurity-magazine	11 days ago	Google Cloud: China Achieves “Cyber Superpower” Status
ESET	11 days ago	When IT meets OT: Cybersecurity for the physical world
InfoSecurity-magazine	18 days ago	Over Half of Attacks on Electricity and Water Firms Are Destructive
Securityaffairs	a month ago	UAT-5918 ATP group targets critical Taiwan
InfoSecurity-magazine	a month ago	Volt Typhoon Accessed US OT Network for Nearly a Year
InfoSecurity-magazine	a month ago	Chinese Hackers Implant Backdoor Malware on Juniper Routers
InfoSecurity-magazine	2 months ago	Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds
Malwarebytes	4 months ago	TP-Link faces US national security probe, potential ban on devices
DARKReading	4 months ago	US Telco Security Efforts Ramp Up After Salt Typhoon
DARKReading	4 months ago	TP-Link Router Ban Is Mostly About Politics
DARKReading	4 months ago	How Nation-State Cybercriminals Are Targeting the Enterprise
DARKReading	4 months ago	Governments, Telcos Ward Off China's Hacking Typhoons
SANS ISC	4 months ago	Vulnerability Symbiosis: vSphere?s CVE-2024-38812 and CVE-2024-38813 [Guest Diary] - SANS Internet Storm Center
InfoSecurity-magazine	4 months ago	Utility Companies Face 42% Surge in Ransomware Attacks
Securityaffairs	5 months ago	T-Mobile detected network intrusion attempts and blocked them
Securelist	5 months ago	Advanced threat predictions for 2025