Volt Typhoon

Threat Actor updated 15 days ago (2024-11-29T14:53:38.672Z)
Download STIX
Preview STIX
Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments of organizations across multiple sectors including water, energy, telecommunications, and transportation. The group has demonstrated strong operational security and sophisticated techniques such as obfuscating their malware and performing reconnaissance and lateral movement within compromised networks. Their activities suggest an intent to pre-position themselves on these networks for potential disruptive or destructive cyberattacks during a major crisis or conflict with the U.S. The group is also implicated in exploiting zero-day vulnerabilities, notably CVE-2023-27997, which was used against FortiOS/FortiProxy. This vulnerability was also exploited by another threat group, Earth Kasha, suggesting that these zero-day vulnerabilities may be shared among China-nexus actors or potentially provided by third-party access brokers. However, despite this similarity, the post-exploitation tactics, techniques, and procedures (TTPs) and toolsets used by Volt Typhoon and Earth Kasha are markedly different. Despite not using ransomware itself, Volt Typhoon benefits from the Ransomware-as-a-Service (RaaS) ecosystem, where ransom payments fund the development of advanced tools, escalating attack risks. The STRIKE Team's report concludes that as Volt Typhoon's botnet spreads and its tactics deepen, governments and corporations must urgently address weaknesses in legacy systems, public cloud infrastructures, and third-party networks. Without decisive action, the silent threat posed by Volt Typhoon could trigger a critical infrastructure crisis driven by unresolved vulnerabilities.
Description last updated: 2024-11-25T13:41:32.119Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
BRONZE SILHOUETTE is a possible alias for Volt Typhoon. Bronze Silhouette, also known as Volt Typhoon, is a state-sponsored cyberespionage group believed to be operating on behalf of the People's Republic of China (PRC). Notorious for its sophisticated and aggressive cyber tactics, Bronze Silhouette has been implicated in compromising critical infrastruc
6
APT41 is a possible alias for Volt Typhoon. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi
4
Insidious Taurus is a possible alias for Volt Typhoon. Insidious Taurus is a potent malware linked to the cyberespionage group Volt Typhoon, also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, and Voltzite. This group, believed to be state-sponsored by the People's Republic of China (PRC), has been implicated in numerous cyberattacks aga
4
Voltzite is a possible alias for Volt Typhoon. Voltzite, also known as Volt Typhoon, Bronze Silhouette, Vanguard Panda, and UNC3236, is a threat actor that has been linked to the People's Republic of China. The group targets operational technology (OT) networks across multiple critical infrastructure sectors, including electric power generation,
3
Vanguard Panda is a possible alias for Volt Typhoon. Vanguard Panda, also known as Volt Typhoon, Bronze Silhouette, Insidious Taurus, and APT41, is a cyberespionage group linked to the Chinese government. Since mid-2021, this threat actor has targeted critical infrastructure sectors including manufacturing, utility, maritime, and government entities i
3
APT31 is a possible alias for Volt Typhoon. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by
3
Hive is a possible alias for Volt Typhoon. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag
2
Sandworm is a possible alias for Volt Typhoon. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Botnet
State Sponso...
Apt
Exploit
Proxy
Zero Day
Vulnerability
Reconnaissance
CISA
LOTL
Webshell
Fbi
Lateral Move...
Exploits
Microsoft
Fortiguard
Fortinet
Espionage
Known Exploi...
Ransomware
Vpn
Windows
Chinese
Fortigate
China
Versa
Payload
Source
Tool
Ics
Mandiant
Command and ...
Credentials
Web Shell
Uk
Cybercrime
Chromium
Fortios
Chrome
exploited
Ivanti
Rootkit
Sophos
Infiltration
Manageengine
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Winnti Threat Actor is associated with Volt Typhoon. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such Unspecified
3
The Flax Typhoon Threat Actor is associated with Volt Typhoon. Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, goUnspecified
2
The BlackTech Threat Actor is associated with Volt Typhoon. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privatUnspecified
2
The APT29 Threat Actor is associated with Volt Typhoon. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw Unspecified
2
The Salt Typhoon Threat Actor is associated with Volt Typhoon. Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a threat actor linked to China's Ministry of State Security. Active since at least 2020, this advanced persistent threat (APT) group has a history of targeting U.S. systems for intelligence gathering, particularlUnspecified
2
The threatActor Unc3236 is associated with Volt Typhoon. Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-27997 Vulnerability is associated with Volt Typhoon. CVE-2023-27997 is a critical vulnerability (with a CVSS score of 9.2) in FortiOS and FortiProxy, which could lead to remote code execution (RCE). This flaw, discovered in the software design or implementation, was reportedly exploited by Volt Typhoon, a state-sponsored actor based in China, as part Unspecified
4
The vulnerability CVE-2024-39717 is associated with Volt Typhoon. Unspecified
2
The CVE-2022-40684 Vulnerability is associated with Volt Typhoon. CVE-2022-40684 is a significant software vulnerability identified in Fortinet devices, specifically relating to an authentication bypass flaw. This flaw in the software design or implementation allows threat actors to exploit the vulnerability, compromising network security and providing unauthorizeUnspecified
2
Source Document References
Information about the Volt Typhoon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
4 days ago
Securityaffairs
13 days ago
Securelist
19 days ago
DARKReading
19 days ago
Trend Micro
23 days ago
BankInfoSecurity
a month ago
Securityaffairs
a month ago
Securityaffairs
a month ago
BankInfoSecurity
a month ago
Securityaffairs
a month ago
InfoSecurity-magazine
a month ago
BankInfoSecurity
a month ago
DARKReading
a month ago
BankInfoSecurity
a month ago
BankInfoSecurity
2 months ago
Securityaffairs
2 months ago
BankInfoSecurity
2 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
InfoSecurity-magazine
3 months ago