Subject: Volt Typhoon Engagement
Tactics: TA0003 Persistence
Technique: T1190 Exploit Public-Facing Application, T1552 Unsecured Credentials, T1078 Valid Accounts
Procedure:
Volt Typhoon actors rely on valid accounts for persistence. They first gain initial access to a network by exploiting vulnerabilities in public-facing applications. Then, they obtain administrator credentials and maintain persistence on the network. They are known to use compromised credentials for follow-on activities, such as logging into the victim’s network via VPN.
Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.
Engagement Opportunity:
Organizations can use this as an opportunity to engage with the Volt Typhoon actors by setting up honeypots with decoy credentials. This can be used to gather intelligence on their tools, techniques, and procedures (TTPs) and disrupt their operations.
Threat Actor: Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus)
Threat Objective:
The primary objective of Volt Typhoon actors is to maintain persistence on networks to enable the disruption of critical infrastructure. They achieve this by first conducting reconnaissance to learn about the target organization. Then, they compromise user accounts, perform discovery, and move laterally within the network. They also develop capabilities and acquire infrastructure.
Deception Opportunity:
Organizations can use deception to counter Volt Typhoon’s malicious activities by creating a convincing decoy network with fake critical infrastructure. This can be used to lure them away from real assets and plant misinformation to confuse them or lead them into a trap.
Sensor Data Placement: Application
Observable Level: Core to Adversary-Brought Tool
Scoring Rationale:
The data for the analytic comes from within the victim’s network, such as the PowerShell console history, making the sensor data placement “Application”. The observable level is “Core to Adversary-Brought Tool” because the analytic focuses on the tools and techniques used by Volt Typhoon, which are specific to their operations but not necessarily fundamental to the underlying tactic of persistence.
Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Link to Report II.:
Additional Comments:
Possible elements: Deceptive User Account with Canary Tokens
MSG (Pseudocode):
# Malicious Sub-Graph Standard
# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])
# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])
# Example: Volt Typhoon Attack Graph
[1]: Initial Access - Exploit Public-Facing Application (T1190) - Exploit vulnerabilities in networking appliances (Core to Adversary-Brought Tool)
[2]: Credential Access - Unsecured Credentials (T1552) - Obtain credentials from public-facing appliances (Core to Adversary-Brought Tool)
[3]: Persistence - Valid Accounts (T1078) - Use compromised credentials for follow-on activities (Core to Adversary-Brought Tool)
1 --> 2 (Lack of Vulnerability Patching)
2 --> 3 (Lack of User Awareness)
# Pseudocode Standard
# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]
# Example: Volt Typhoon Pseudocode
function Initial_Access_Exploit_Public_Facing_Application(public_facing_application):
# Exploit vulnerabilities in networking appliances such as Fortinet, Ivanti (formerly Pulse Secure), NETGEAR, Citrix, and Cisco
return administrator_credentials
function Credential_Access_Unsecured_Credentials(administrator_credentials):
# Use administrator_credentials for follow-on activities
# Log into victim's network via VPN
return persistence
function Persistence_Valid_Accounts(persistence):
# Maintain persistence on the network using valid accounts
return success