Volt Typhoon: Techniques Used to Compromise Operational Technology
In the ever-evolving landscape of cyber threats, state-sponsored actors continue to pose significant risks to critical infrastructure. One such actor from China, Volt Typhoon, has recently come into the spotlight due to its sophisticated tactics and targeted attacks on critical infrastructure organizations in the United States. They mainly gain initial access through public-facing network devices, while persistence is achieved by leveraging standard Microsoft Active Directory tools.
Their primary focus is on Operational Technology (OT) assets, which they strategically target. In this blog post, we delve into the 8 distinct techniques employed by Volt Typhoon, shedding light on their modus operandi.
1. Strategic Pre-Compromise Reconnaissance
Volt Typhoon meticulously studies its target organizations before launching attacks. Their pre-compromise reconnaissance involves:
Network Architecture Analysis: Understanding network topologies and infrastructure.
Operational Protocol Insights: Learning about security measures and typical user behaviors.
Identifying Key Staff: Recognizing key network and IT staff.
This intelligence fuels their operational security. Notably, they avoid using compromised credentials during non-working hours to evade detection.
2. Stealthy Network Infiltration: Exploiting Network Vulnerabilities
Volt Typhoon employs a calculated approach to infiltrate IT networks. Their initial access involves:
Vulnerability Exploitation:
Volt Typhoon targets known or zero-day vulnerabilities in public-facing network appliances such as routers, VPNs, and firewalls. By exploiting these weaknesses, they gain a foothold within the victim’s infrastructure.
VPN Connection:
Once inside, Volt Typhoon establishes a connection via VPN. This allows them to operate stealthily and conduct follow-on activities without triggering immediate security alerts.
3. Administrator Credential Acquisition
Volt Typhoon relentlessly pursues administrator access within targeted networks. Their methods include:
Privilege Escalation Exploits:
Volt Typhoon identifies privilege escalation vulnerabilities in operating systems or network services. By exploiting these weaknesses, they inch closer to obtaining coveted administrator credentials.
Insecurely Stored Credentials:
In some instances, Volt Typhoon strikes gold by discovering credentials insecurely stored on public-facing network appliances. These overlooked access points grant them a foothold into critical infrastructure systems.
4. Lateral Movement: Navigating to the Heart of the Network
Once Volt Typhoon gains valid credentials, they use them strategically to maintain persistence within the target network. This persistence enables them to access critical infrastructure systems without raising alarms.
Their lateral movement involves:
Administrator Credentials:
Armed with valid administrator credentials, Volt Typhoon maneuvers within the network.
Domain Controller (DC):
They target the domain controller—a critical hub for network management and authentication.
Remote Desktop Protocol (RDP):
Leveraging remote access services, Volt Typhoon hops across devices, silently advancing its mission.
5. Silent Infiltration: Unveiling Critical Insights
To blend into normal network activity, Volt Typhoon routes their traffic through compromised small office and home office (SOHO) network equipment. Routers, firewalls, and VPN hardware become conduits for their covert communication.
Their approach involves:
Discovery and Stealth:
Leveraging Living-Off-The-Land (LOTL) binaries, Volt Typhoon meticulously explores the network. These legitimate tools allow them to remain undetected while gathering crucial information.
PowerShell Queries:
A key tactic is using PowerShell for targeted queries on Windows event logs. They extract security event logs discreetly by focusing on specific users and periods.
Intelligence Extraction:
Volt Typhoon cleverly saves these logs as .dat files, minimizing the risk of detection. These files contain critical insights that aid their mission.
Sophisticated Strategy:
Volt Typhoon demonstrates a sophisticated and strategic approach to cyber operations by blending in-depth pre-compromise reconnaissance with meticulous post-exploitation intelligence collection.
6. Full Domain Compromise: Extracting the Active Directory Database
Volt Typhoon doesn’t settle for partial access. Their goal is full domain compromise, and they achieve it through a calculated process:
NTDS.dit Extraction:
The Active Directory database (NTDS.dit) is the heart of domain management. Volt Typhoon targets this centralized repository, which contains critical data—user accounts, hashed passwords, and other sensitive information
Volume Shadow Copy Service (VSS):
To access NTDS.dit, Volt Typhoon frequently employs the Volume Shadow Copy Service. Using command-line utilities like vssadmin, they create a shadow copy—a point-in-time snapshot—of the volume hosting NTDS.dit.
Bypassing File Locking Mechanisms:
This snapshot allows them to bypass file locking mechanisms inherent in a live Windows environment. Typically, direct access to NTDS.dit is restricted while the domain controller is operational.
By mastering this method, Volt Typhoon gains unparalleled insights and leverage for further exploitation within the compromised domain.
7. Cracking Hashed Passwords
Volt Typhoon doesn’t settle for encrypted secrets. Their pursuit involves deciphering hashed passwords using offline techniques:
Hash Extraction:
First, they extract the hashed passwords from the NTDS.dit file—the treasure trove of Active Directory data. These hashes are cryptographic representations of user passwords.
Cracking Arsenal:
Brute Force Attacks: Volt Typhoon employs sheer computational force, systematically trying every possible combination until they crack the hash. It’s resource-intensive but effective.
Dictionary Attacks: They leverage wordlists containing common passwords, trying each entry against the hash. If a match is found, the password is revealed.
Rainbow Tables: These precomputed tables map hashes to plaintext passwords. Volt Typhoon cross-references the hash with these tables to uncover the original password.
Elevated Access:
Successfully decrypting these passwords grants Volt Typhoon actors elevated access within the network. With the keys in hand, they infiltrate and manipulate critical systems.
Their cryptographic process underscores the sophistication of their cyber operations.
8. Targeting OT (Operational Technology) Assets: From Credentials to Control
Volt Typhoon's actions reveal a calculated approach:
Elevated Credentials:
Armed with elevated credentials, Volt Typhoon strategically infiltrates networks. Their focus extends beyond initial entry—they seek capabilities to access Operational Technology (OT) assets.
Testing Default OT Vendor Credentials:
Volt Typhoon actors boldly test access to domain-joint OT assets using default credentials from OT vendors. This audacious move allows them to explore critical systems discreetly.
Compromised Credentials via NTDS.dit
In certain instances, they exploit compromised credentials stolen from the NTDS.dit file. This repository contains hashed passwords, and Volt Typhoon cracks these codes to gain entry.
Potential Disruptions:
Armed with this access, Volt Typhoon can manipulate critical infrastructure:
HVAC Systems: They could subtly alter heating, ventilation, and air conditioning (HVAC) systems in server rooms, affecting environmental conditions.
Energy and Water Controls: By disrupting energy and water controls, they could cause significant infrastructure failures.
Camera Surveillance Systems: In some cases, Volt Typhoon even accesses camera surveillance systems at critical facilities.
Lateral Movement:
In a confirmed compromise, Volt Typhoon actors moved laterally to a control system, positioning themselves for further infiltration.
Volt Typhoon’s emphasis on stealth, persistence, and data exfiltration highlights the need for robust cybersecurity measures. Organizations must remain cautious and adopt proactive defense strategies to counter state-sponsored threats like Volt Typhoon.
For more details, you can refer to the official CISA report.