Volt Typhoon

Threat Actor updated 18 hours ago (2024-11-20T18:17:12.428Z)

Download STIX

Preview STIX

Volt Typhoon, a cyberespionage cluster sponsored by China, has emerged as a significant threat actor in the cybersecurity landscape. Known for its strong operational security and obfuscation of malware, Volt Typhoon is both a resilient botnet and a warning signal of potential critical infrastructure crises. The group's tactics are adaptive and multifaceted, demonstrated by their ability to dig deeper when exposed rather than retreat. In August 2023, the actors exploited a zero-day vulnerability, tracked as CVE-2024-39717, in Versa Director to deploy a custom webshell on breached networks. In the U.S., Volt Typhoon has compromised IT environments across multiple critical infrastructure sectors such as water, energy, telecommunications, and transportation. This potentially provides a launching pad for disruptive attacks. Despite not using ransomware directly, Volt Typhoon benefits from the Ransomware-as-a-Service (RaaS) ecosystem, where ransom payments fund advanced tools that escalate attack risks, particularly through third-party and cloud dependencies. Within a span of 37 days, the group was able to compromise 30% of visible Cisco RV320/325 routers, making end-of-life devices perfect entry points for them. The STRIKE Team's discoveries underscore the expanding threat posed by Volt Typhoon. As the botnet spreads and its tactics deepen, there is an urgent need for governments and corporations to address weaknesses in legacy systems, public cloud infrastructures, and third-party networks. Despite efforts to disrupt the botnet, Volt Typhoon remains active and continues to pre-position itself on IT networks for possible disruptive or destructive cyberattacks against U.S. critical infrastructure, especially in times of major crisis or conflict with the United States.

Description last updated: 2024-11-15T15:59:22.191Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
BRONZE SILHOUETTE is a possible alias for Volt Typhoon. Bronze Silhouette, also known as Volt Typhoon, is a state-sponsored cyberespionage group believed to be operating on behalf of the People's Republic of China (PRC). Notorious for its sophisticated and aggressive cyber tactics, Bronze Silhouette has been implicated in compromising critical infrastruc	6
APT41 is a possible alias for Volt Typhoon. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	4
Insidious Taurus is a possible alias for Volt Typhoon. Insidious Taurus is a potent malware linked to the cyberespionage group Volt Typhoon, also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, and Voltzite. This group, believed to be state-sponsored by the People's Republic of China (PRC), has been implicated in numerous cyberattacks aga	4
Voltzite is a possible alias for Volt Typhoon. Voltzite, also known as Volt Typhoon, Bronze Silhouette, Vanguard Panda, and UNC3236, is a threat actor that has been linked to the People's Republic of China. The group targets operational technology (OT) networks across multiple critical infrastructure sectors, including electric power generation,	3
Vanguard Panda is a possible alias for Volt Typhoon. Vanguard Panda, also known as Volt Typhoon, Bronze Silhouette, Insidious Taurus, and APT41, is a cyberespionage group linked to the Chinese government. Since mid-2021, this threat actor has targeted critical infrastructure sectors including manufacturing, utility, maritime, and government entities i	3
APT31 is a possible alias for Volt Typhoon. APT31, also known as Zirconium, is a threat actor believed to be linked to the Chinese government. This group has been associated with numerous cyber attacks, including a significant exploit of CVE-2017-0005. This exploit, dubbed "Jian," was initially attributed to APT31 but upon further analysis by	3
Hive is a possible alias for Volt Typhoon. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	2
Sandworm is a possible alias for Volt Typhoon. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

State Sponso...

Botnet

Apt

Exploit

Proxy

Zero Day

CISA

Vulnerability

Reconnaissance

LOTL

Webshell

Fbi

Lateral Move...

Exploits

Microsoft

Fortiguard

Fortinet

Espionage

Known Exploi...

Ransomware

Vpn

Windows

Chinese

Fortigate

China

Versa

Payload

Source

Tool

Ics

Mandiant

Command and ...

Credentials

Web Shell

Cybercrime

Chromium

Fortios

Chrome

exploited

Ivanti

Rootkit

Sophos

Infiltration

Manageengine

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Winnti Threat Actor is associated with Volt Typhoon. Winnti is a threat actor group known for its malicious activities, primarily originating from Chinese Advanced Persistent Threat (APT) operational infrastructure. The group, which has been active since at least 2007, was first spotted by Kaspersky in 2013. It is associated with several aliases such	Unspecified	3
The Flax Typhoon Threat Actor is associated with Volt Typhoon. Flax Typhoon is a threat actor reportedly linked to China that has been actively targeting Taiwan, as well as other regions globally. This group, also known by aliases such as RedJuliett and Ethereal Panda, has been implicated in cyberespionage activities against critical infrastructure entities, go	Unspecified	2
The BlackTech Threat Actor is associated with Volt Typhoon. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privat	Unspecified	2
The APT29 Threat Actor is associated with Volt Typhoon. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	Unspecified	2
The Salt Typhoon Threat Actor is associated with Volt Typhoon. Salt Typhoon, a China-linked Advanced Persistent Threat (APT) group also known as FamousSparrow and GhostEmperor, has been active since at least 2020. The group has conducted cyber-espionage campaigns targeting governments, the tech industry, and most notably, U.S. internet service providers (ISPs).	Unspecified	2
The threatActor Unc3236 is associated with Volt Typhoon.	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-27997 Vulnerability is associated with Volt Typhoon. CVE-2023-27997 is a critical vulnerability (with a CVSS score of 9.2) in FortiOS and FortiProxy, which could lead to remote code execution (RCE). This flaw, discovered in the software design or implementation, was reportedly exploited by Volt Typhoon, a state-sponsored actor based in China, as part	Unspecified	4
The vulnerability CVE-2024-39717 is associated with Volt Typhoon.	Unspecified	2
The CVE-2022-40684 Vulnerability is associated with Volt Typhoon. CVE-2022-40684 is a significant software vulnerability identified in Fortinet devices, specifically relating to an authentication bypass flaw. This flaw in the software design or implementation allows threat actors to exploit the vulnerability, compromising network security and providing unauthorize	Unspecified	2

Source Document References

Information about the Volt Typhoon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	5 hours ago	Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
BankInfoSecurity	6 days ago	Hackers Lurking in Critical Infrastructure to Wage Attacks
Securityaffairs	6 days ago	China's Volt Typhoon botnet has re-emerged
Securityaffairs	10 days ago	U.S. agency cautions employees to limit phone use due to Salt Typhoon hack of telco providers
BankInfoSecurity	15 days ago	Chinese Hackers Tied to US National Security Eavesdropping
Securityaffairs	19 days ago	Sophos details five years of China-linked threat actors' activity targeting network devices worldwide
InfoSecurity-magazine	19 days ago	Sophos Warns Chinese Hackers Are Becoming Stealthier
BankInfoSecurity	20 days ago	Sophos Discloses Half Decade of Sustained Chinese Attack
DARKReading	21 days ago	China Says Seabed Sentinels Are Spying, After Trump Taps
BankInfoSecurity	23 days ago	Why Shoring Up Cyber at Rural and Small Hospitals Is Urgent
BankInfoSecurity	a month ago	Feds Probe Chinese 'Salt Typhoon' Hack of Major Telcos
Securityaffairs	a month ago	China-linked group Salt Typhoon hacked US broadband providers and breached wiretap systems
BankInfoSecurity	2 months ago	Experts Warn CISA’s Threat Sharing is in a 'Death Spiral'
Securityaffairs	2 months ago	China-linked APT group Salt Typhoon compromised some US ISPs
DARKReading	2 months ago	China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs
InfoSecurity-magazine	2 months ago	US House Bill Addresses Growing Threat of Chinese Cyber Actors
DARKReading	2 months ago	When Startup Founders Should Be Thinking About Cybersecurity
DARKReading	2 months ago	UnDisruptable27 Tackles Critical Infrastructure Defense
DARKReading	2 months ago	Akira Ransomware Actors Exploit SonicWall Bug for RCE
DARKReading	2 months ago	Transparency, Sharing Help Defend Critical Infrastructure