Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
AI Analysis
Technical Summary
Volt Typhoon is a threat actor group identified as targeting critical infrastructure, primarily within the United States, using sophisticated living-off-the-land (LotL) techniques. LotL methods involve leveraging legitimate system tools and processes to conduct malicious activities, thereby evading traditional detection mechanisms that focus on known malware signatures or anomalous binaries. This approach allows the adversary to maintain persistence, conduct reconnaissance, and potentially disrupt operations without deploying easily identifiable payloads. The threat is characterized by high confidence in analytic judgment and an almost-certain likelihood of activity, as reported by CIRCL OSINT Feed. Although specific technical details and affected software versions are not disclosed, the targeting of telecoms and critical infrastructure sectors suggests a focus on systems integral to national communications and operational continuity. The absence of known exploits or patches indicates that the threat leverages existing system capabilities rather than exploiting newly discovered vulnerabilities. The use of LotL techniques complicates detection and mitigation, requiring advanced monitoring of legitimate tool usage and behavior analytics. Given the high severity rating and the strategic importance of telecom infrastructure, Volt Typhoon represents a significant threat vector capable of impacting operational integrity and availability of critical services.
Potential Impact
For European organizations, the direct impact of Volt Typhoon may currently be limited due to the primary targeting of US critical infrastructure. However, the techniques employed by this threat actor—particularly living-off-the-land tactics—are broadly applicable and could be adopted or adapted to target European telecom and critical infrastructure sectors. If such tactics were employed against European entities, the impact could include unauthorized access, disruption of telecom services, data exfiltration, and potential degradation of critical infrastructure availability. Given the interconnected nature of global telecom networks and supply chains, disruptions in one region can cascade, affecting service quality and security in Europe. Furthermore, the sophistication of LotL techniques challenges traditional security controls, potentially leading to prolonged undetected intrusions and increased risk of operational disruption. European organizations in telecom and critical infrastructure sectors should be aware of this threat actor’s modus operandi and prepare for similar tactics that could be directed at their networks.
Mitigation Recommendations
Mitigation should focus on enhancing detection and response capabilities tailored to living-off-the-land techniques. Specific recommendations include: 1) Implement advanced endpoint detection and response (EDR) solutions capable of behavioral analysis to identify anomalous use of legitimate tools such as PowerShell, WMI, and remote management utilities. 2) Establish strict application whitelisting policies and monitor execution of scripts and binaries that are not part of normal operations. 3) Conduct regular threat hunting exercises focused on identifying unusual patterns of legitimate tool usage and lateral movement within networks. 4) Harden telecom infrastructure by segmenting networks, enforcing least privilege access controls, and monitoring for unusual administrative activities. 5) Enhance logging and centralized monitoring to capture detailed telemetry from critical systems, enabling rapid investigation of suspicious activities. 6) Provide targeted training for security teams on recognizing LotL tactics and developing incident response playbooks specific to such threats. 7) Collaborate with industry information sharing groups to stay updated on emerging tactics and indicators related to Volt Typhoon and similar actors.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- hash: baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c
- hash: b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74
- hash: 4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349
- hash: c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d
- hash: d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af
- hash: 9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a
- hash: 450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267
- hash: 93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066
- hash: 7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5
- hash: 389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61
- hash: c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b
- hash: e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95
- hash: 6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff
- hash: cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984
- hash: 17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4
- hash: 8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2
- hash: d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295
- hash: 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d
- hash: 3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642
- link: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- text: Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.
- text: Blog
- text: Microsoft
- comment: Find commands creating domain controller installation media This query can identify domain controller installation media creation commands similar to those used by Volt Typhoon.
- text: Kusto Query Language
- text: DeviceProcessEvents | where ProcessCommandLine has_all ("ntdsutil", "create full", "pro")
- text: Microsoft
- comment: Find commands establishing internal proxies This query can identify commands that establish internal proxies similar to those used by Volt Typhoon.
- text: Kusto Query Language
- text: DeviceProcessEvents | where ProcessCommandLine has_all ("portproxy", "netsh", "wmic", "process call create", "v4tov4")
- comment: Find detections of custom FRP executables This query can identify alerts on files that match the SHA-256 hashes of known Volt Typhoon custom FRP binaries.
- text: Kusto Query Language
- text: AlertEvidence | where SHA256 in ('baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c', 'b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74', '4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349', 'c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d', 'd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af', '9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a', '450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267', '93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066', '7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5', '389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61', 'c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b', 'e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95', '6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff', 'cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984', '17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4', '8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2', 'd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295', '472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d', '3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642')
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Description
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
AI-Powered Analysis
Technical Analysis
Volt Typhoon is a threat actor group identified as targeting critical infrastructure, primarily within the United States, using sophisticated living-off-the-land (LotL) techniques. LotL methods involve leveraging legitimate system tools and processes to conduct malicious activities, thereby evading traditional detection mechanisms that focus on known malware signatures or anomalous binaries. This approach allows the adversary to maintain persistence, conduct reconnaissance, and potentially disrupt operations without deploying easily identifiable payloads. The threat is characterized by high confidence in analytic judgment and an almost-certain likelihood of activity, as reported by CIRCL OSINT Feed. Although specific technical details and affected software versions are not disclosed, the targeting of telecoms and critical infrastructure sectors suggests a focus on systems integral to national communications and operational continuity. The absence of known exploits or patches indicates that the threat leverages existing system capabilities rather than exploiting newly discovered vulnerabilities. The use of LotL techniques complicates detection and mitigation, requiring advanced monitoring of legitimate tool usage and behavior analytics. Given the high severity rating and the strategic importance of telecom infrastructure, Volt Typhoon represents a significant threat vector capable of impacting operational integrity and availability of critical services.
Potential Impact
For European organizations, the direct impact of Volt Typhoon may currently be limited due to the primary targeting of US critical infrastructure. However, the techniques employed by this threat actor—particularly living-off-the-land tactics—are broadly applicable and could be adopted or adapted to target European telecom and critical infrastructure sectors. If such tactics were employed against European entities, the impact could include unauthorized access, disruption of telecom services, data exfiltration, and potential degradation of critical infrastructure availability. Given the interconnected nature of global telecom networks and supply chains, disruptions in one region can cascade, affecting service quality and security in Europe. Furthermore, the sophistication of LotL techniques challenges traditional security controls, potentially leading to prolonged undetected intrusions and increased risk of operational disruption. European organizations in telecom and critical infrastructure sectors should be aware of this threat actor’s modus operandi and prepare for similar tactics that could be directed at their networks.
Mitigation Recommendations
Mitigation should focus on enhancing detection and response capabilities tailored to living-off-the-land techniques. Specific recommendations include: 1) Implement advanced endpoint detection and response (EDR) solutions capable of behavioral analysis to identify anomalous use of legitimate tools such as PowerShell, WMI, and remote management utilities. 2) Establish strict application whitelisting policies and monitor execution of scripts and binaries that are not part of normal operations. 3) Conduct regular threat hunting exercises focused on identifying unusual patterns of legitimate tool usage and lateral movement within networks. 4) Harden telecom infrastructure by segmenting networks, enforcing least privilege access controls, and monitoring for unusual administrative activities. 5) Enhance logging and centralized monitoring to capture detailed telemetry from critical systems, enabling rapid investigation of suspicious activities. 6) Provide targeted training for security teams on recognizing LotL tactics and developing incident response playbooks specific to such threats. 7) Collaborate with industry information sharing groups to stay updated on emerging tactics and indicators related to Volt Typhoon and similar actors.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Uuid
- 99f9138a-c8f8-44aa-9a0c-3736d74c2df3
- Original Timestamp
- 1731934053
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashbaeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c | Volt Typhoon custom FRP executable | |
hashb4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74 | Volt Typhoon custom FRP executable | |
hash4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349 | Volt Typhoon custom FRP executable | |
hashc0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d | Volt Typhoon custom FRP executable | |
hashd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af | Volt Typhoon custom FRP executable | |
hash9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a | Volt Typhoon custom FRP executable | |
hash450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267 | Volt Typhoon custom FRP executable | |
hash93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066 | Volt Typhoon custom FRP executable | |
hash7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5 | Volt Typhoon custom FRP executable | |
hash389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61 | Volt Typhoon custom FRP executable | |
hashc4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b | Volt Typhoon custom FRP executable | |
hashe453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95 | Volt Typhoon custom FRP executable | |
hash6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff | Volt Typhoon custom FRP executable | |
hashcd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984 | Volt Typhoon custom FRP executable | |
hash17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4 | Volt Typhoon custom FRP executable | |
hash8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2 | Volt Typhoon custom FRP executable | |
hashd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295 | Volt Typhoon custom FRP executable | |
hash472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d | Volt Typhoon custom FRP executable | |
hash3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642 | Volt Typhoon custom FRP executable |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textMicrosoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
Volt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible. | — | |
textBlog | — | |
textMicrosoft | — | |
textKusto Query Language | — | |
textDeviceProcessEvents
| where ProcessCommandLine has_all ("ntdsutil", "create full", "pro") | — | |
textMicrosoft | — | |
textKusto Query Language | — | |
textDeviceProcessEvents
| where ProcessCommandLine has_all ("portproxy", "netsh", "wmic", "process call create", "v4tov4") | — | |
textKusto Query Language | — | |
textAlertEvidence
| where SHA256 in
('baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c',
'b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74',
'4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349',
'c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d',
'd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af',
'9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a',
'450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267',
'93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066',
'7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5',
'389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61',
'c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b',
'e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95',
'6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff',
'cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984',
'17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4',
'8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2',
'd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295',
'472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d',
'3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642') | — |
Comment
| Value | Description | Copy |
|---|---|---|
commentFind commands creating domain controller installation media
This query can identify domain controller installation media creation commands similar to those used by Volt Typhoon. | — | |
commentFind commands establishing internal proxies
This query can identify commands that establish internal proxies similar to those used by Volt Typhoon. | — | |
commentFind detections of custom FRP executables
This query can identify alerts on files that match the SHA-256 hashes of known Volt Typhoon custom FRP binaries. | — |
Threat ID: 68367c0a182aa0cae2311cd3
Added to database: 5/28/2025, 2:59:22 AM
Last enriched: 6/27/2025, 9:35:03 AM
Last updated: 8/16/2025, 7:07:28 PM
Views: 10
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.