Volt Typhoon

Threat Actor updated 23 days ago (2024-11-29T14:53:38.672Z)

Download STIX

Preview STIX

Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments of organizations across multiple sectors including water, energy, telecommunications, and transportation. The group has demonstrated strong operational security and sophisticated techniques such as obfuscating their malware and performing reconnaissance and lateral movement within compromised networks. Their activities suggest an intent to pre-position themselves on these networks for potential disruptive or destructive cyberattacks during a major crisis or conflict with the U.S. The group is also implicated in exploiting zero-day vulnerabilities, notably CVE-2023-27997, which was used against FortiOS/FortiProxy. This vulnerability was also exploited by another threat group, Earth Kasha, suggesting that these zero-day vulnerabilities may be shared among China-nexus actors or potentially provided by third-party access brokers. However, despite this similarity, the post-exploitation tactics, techniques, and procedures (TTPs) and toolsets used by Volt Typhoon and Earth Kasha are markedly different. Despite not using ransomware itself, Volt Typhoon benefits from the Ransomware-as-a-Service (RaaS) ecosystem, where ransom payments fund the development of advanced tools, escalating attack risks. The STRIKE Team's report concludes that as Volt Typhoon's botnet spreads and its tactics deepen, governments and corporations must urgently address weaknesses in legacy systems, public cloud infrastructures, and third-party networks. Without decisive action, the silent threat posed by Volt Typhoon could trigger a critical infrastructure crisis driven by unresolved vulnerabilities.

Description last updated: 2024-11-25T13:41:32.119Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BRONZE SILHOUETTE is a possible alias for Volt Typhoon. Bronze Silhouette, also known as Volt Typhoon, is a state-sponsored cyberespionage group believed to be operating on behalf of the People's Republic of China (PRC). Notorious for its sophisticated and aggressive cyber tactics, Bronze Silhouette has been implicated in compromising critical infrastruc	6
APT41 is a possible alias for Volt Typhoon. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	4
Insidious Taurus is a possible alias for Volt Typhoon. Insidious Taurus is a potent malware linked to the cyberespionage group Volt Typhoon, also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, and Voltzite. This group, believed to be state-sponsored by the People's Republic of China (PRC), has been implicated in numerous cyberattacks aga	4
Vanguard Panda is a possible alias for Volt Typhoon. Vanguard Panda, also known as Volt Typhoon, Bronze Silhouette, Insidious Taurus, and APT41, is a cyberespionage group linked to the Chinese government. Since mid-2021, this threat actor has targeted critical infrastructure sectors including manufacturing, utility, maritime, and government entities i	3
Voltzite is a possible alias for Volt Typhoon. Voltzite, also known as Volt Typhoon, Bronze Silhouette, Vanguard Panda, and UNC3236, is a threat actor that has been linked to the People's Republic of China. The group targets operational technology (OT) networks across multiple critical infrastructure sectors, including electric power generation,	3
APT31 is a possible alias for Volt Typhoon. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by	3
Sandworm is a possible alias for Volt Typhoon. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	2
Hive is a possible alias for Volt Typhoon. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

State Sponso...

Botnet

Exploit

Apt

Zero Day

Proxy

LOTL

Reconnaissance

Vulnerability

CISA

Webshell

Fbi

Fortiguard

Espionage

Exploits

Chinese

Microsoft

Lateral Move...

Fortinet

Known Exploi...

Ransomware

Vpn

Windows

Fortigate

China

Source

Versa

Government

Payload

Web Shell

Tool

Ics

Mandiant

Command and ...

Credentials

Cybercrime

Sophos

Fortios

Chromium

Chrome

exploited

Ivanti

Rootkit

Infiltration

Manageengine

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Winnti Threat Actor is associated with Volt Typhoon. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such	Unspecified	3
The threatActor Unc3236 is associated with Volt Typhoon.	Unspecified	2
The BlackTech Threat Actor is associated with Volt Typhoon. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privat	Unspecified	2
The APT29 Threat Actor is associated with Volt Typhoon. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	Unspecified	2
The Salt Typhoon Threat Actor is associated with Volt Typhoon. Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a threat actor linked to China's Ministry of State Security. Active since at least 2020, this advanced persistent threat (APT) group has a history of targeting U.S. systems for intelligence gathering, particularl	Unspecified	2
The Flax Typhoon Threat Actor is associated with Volt Typhoon. Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, go	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-27997 Vulnerability is associated with Volt Typhoon. CVE-2023-27997 is a critical vulnerability (with a CVSS score of 9.2) in FortiOS and FortiProxy, which could lead to remote code execution (RCE). This flaw, discovered in the software design or implementation, was reportedly exploited by Volt Typhoon, a state-sponsored actor based in China, as part	Unspecified	4
The vulnerability CVE-2024-39717 is associated with Volt Typhoon.	Unspecified	2
The CVE-2022-40684 Vulnerability is associated with Volt Typhoon. CVE-2022-40684 is a significant software vulnerability identified in Fortinet devices, specifically relating to an authentication bypass flaw. This flaw in the software design or implementation allows threat actors to exploit the vulnerability, compromising network security and providing unauthorize	Unspecified	2

Source Document References

Information about the Volt Typhoon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	a day ago	TP-Link faces US national security probe, potential ban on devices
DARKReading	a day ago	US Telco Security Efforts Ramp Up After Salt Typhoon
DARKReading	a day ago	TP-Link Router Ban Is Mostly About Politics
DARKReading	a day ago	How Nation-State Cybercriminals Are Targeting the Enterprise
DARKReading	11 days ago	Governments, Telcos Ward Off China's Hacking Typhoons
SANS ISC	11 days ago	Vulnerability Symbiosis: vSphere?s CVE-2024-38812 and CVE-2024-38813 [Guest Diary] - SANS Internet Storm Center
InfoSecurity-magazine	12 days ago	Utility Companies Face 42% Surge in Ransomware Attacks
Securityaffairs	21 days ago	T-Mobile detected network intrusion attempts and blocked them
Securelist	a month ago	Advanced threat predictions for 2025
DARKReading	a month ago	China's Cyber Offensives Helped by Private Firms, Academia
Trend Micro	a month ago	Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
BankInfoSecurity	a month ago	Hackers Lurking in Critical Infrastructure to Wage Attacks
Securityaffairs	a month ago	China's Volt Typhoon botnet has re-emerged
Securityaffairs	a month ago	U.S. agency cautions employees to limit phone use due to Salt Typhoon hack of telco providers
BankInfoSecurity	2 months ago	Chinese Hackers Tied to US National Security Eavesdropping
Securityaffairs	2 months ago	Sophos details five years of China-linked threat actors' activity targeting network devices worldwide
InfoSecurity-magazine	2 months ago	Sophos Warns Chinese Hackers Are Becoming Stealthier
BankInfoSecurity	2 months ago	Sophos Discloses Half Decade of Sustained Chinese Attack
DARKReading	2 months ago	China Says Seabed Sentinels Are Spying, After Trump Taps
BankInfoSecurity	2 months ago	Why Shoring Up Cyber at Rural and Small Hospitals Is Urgent