← threatfilter.dev / all groups / Volt Typhoon
Volt Typhoon
Also known as: BRONZE SILHOUETTE · Vanguard Panda · DEV-0391 · UNC3236 · Voltzite · Insidious Taurus · DazedToad
Overview
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.. Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 81 techniques across 13 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1589.002Email Addresses -
T1590Gather Victim Network Information -
T1590.004Network Topology -
T1590.006Network Security Appliances -
T1591Gather Victim Org Information -
T1591.004Identify Roles -
T1592Gather Victim Host Information -
T1593Search Open Websites/Domains -
T1594Search Victim-Owned Websites -
T1596.005Scan Databases
Resource Development
-
T1584.003Virtual Private Server -
T1584.004Server -
T1584.005Botnet -
T1584.008Network Devices -
T1587.004Exploits -
T1588.002Tool -
T1588.006Vulnerabilities
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.004Unix Shell
Persistence
-
T1133External Remote Services -
T1505.003Web Shell
Privilege Escalation
Stealth
-
T1006Direct Volume Access -
T1027.002Software Packing -
T1036.005Match Legitimate Resource Name or Location -
T1036.008Masquerade File Type -
T1070.004File Deletion -
T1070.007Clear Network Connection History and Configurations -
T1078Valid Accounts -
T1078.002Domain Accounts -
T1140Deobfuscate/Decode Files or Information -
T1218System Binary Proxy Execution -
T1497.001System Checks
Defense Impairment
-
T1112Modify Registry -
T1685.005Clear Windows Event Logs
Credential Access
-
T1003.001LSASS Memory -
T1003.003NTDS -
T1552Unsecured Credentials -
T1552.004Private Keys -
T1555Credentials from Password Stores -
T1555.003Credentials from Web Browsers
Discovery
-
T1007System Service Discovery -
T1010Application Window Discovery -
T1012Query Registry -
T1016System Network Configuration Discovery -
T1016.001Internet Connection Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1069Permission Groups Discovery -
T1069.001Local Groups -
T1069.002Domain Groups -
T1083File and Directory Discovery -
T1087.001Local Account -
T1087.002Domain Account -
T1120Peripheral Device Discovery -
T1124System Time Discovery -
T1217Browser Information Discovery -
T1518Software Discovery -
T1614System Location Discovery -
T1654Log Enumeration -
T1680Local Storage Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1570Lateral Tool Transfer
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1074Data Staged -
T1074.001Local Data Staging -
T1113Screen Capture -
T1560.001Archive via Utility
Command and Control
-
T1090Proxy -
T1090.001Internal Proxy -
T1090.003Multi-hop Proxy -
T1105Ingress Tool Transfer -
T1573.001Symmetric Cryptography
Tools & malware (17)
netsh · PsExec · ipconfig · Wevtutil · VersaMem · Tasklist · Mimikatz · Ping · Impacket · Systeminfo · netstat · Nltest · certutil · Reg · FRP · cmd · Net