On May 23, 2023, the U.S., Australia, New Zealand, Canada and the U.K. issued a joint advisory about a suspected Chinese state-sponsored threat actor group that infiltrates firewalls, routers and virtual private networks (VPNs) belonging to critical infrastructure organizations. The group is primarily referred to as Volt Typhoon aka BRONZE SILHOUETTE, Dev-0391, Insidious Taurus, Storm-0391, UNC3236, VANGUARD PANDA, VOLTZITE. Volt Typhoon seeks to establish long-term, undetected persistence. It has exploited vulnerabilities in commonly used network applications from vendors including Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix and Cisco. Its targets are in verticals such as communications, energy, transport and water and wastewater systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says Volt Typhoon behavior stands out because it is not consistent with traditional cyber espionage or intelligence gathering operations. The U.S. assesses the activity is likely aimed at disrupting operational technology (OT) during a conflict.
Volt Typhoon maintained an undetected presence in some victim environments for as long as five years. This was possible because of several factors. The group practiced solid operational security. Its attacks were conducted through a botnet called the KV Botnet which was composed of compromised small and home office routers, mostly Cisco and NETGEAR routers no longer supported by security patches, that were used as proxies for intrusions. The local IP addresses of those infected devices helped Volt Typhoon keep a lower profile as it continued to gain access. On Jan. 31, 2024, the U.S. Department of Justice announced an operation that remediated hundreds of these infected routers. Once inside a network, the group relied on living-off-the-land (LOTL) techniques, or using legitimate network and administration tools in order to accomplish its goals and evade detection. These tactics, techniques and procedures (TTPs) are an effective way to blend in with normal administrative actions on a network and not raise security alarms. This group continues to be active — the U.S., Australia, New Zealand, Canada and the U.K. issued an additional technical advisory about Volt Typhoon Feb. 7, 2024, with updated TTPs and mitigations.
These techniques can be detected by threat hunting, the process of searching in security information and event management (SIEM) and logging systems for TTPs that indicate possible malicious activity. Intel 471 has developed pre-written threat hunting packages to hunt for Volt Typhoon in a variety of SIEM, endpoint detection and response (EDR) and logging systems. In this post, we will explain how to conduct threat hunting in SIEM and logging systems for signs of this dangerous threat actor group using our HUNTER platform.
Kick-Start Threat Hunting
Before a threat hunt can be started, analysts need to know how an adversary conducts intrusions. This data often comes from forensic investigations of incidents. These investigations yield common behaviors that a particular group uses in the various stages of an attack, from reconnaissance to initial access to execution, persistence and lateral movement. These behaviors are described in the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors. The February 2024 advisory on Volt Typhoon from the national cybersecurity agencies contains many techniques the group employed as well as LOTL tools and commands. On page 32, the advisory describes Volt Typhoon commands seen in PowerShell’s console history. The goal is to gather commands and LOTL activity description but also make it applicable to your environment. For example:
As shown in the chart, Volt Typhoon and other threat actor groups often use the WMI command-line (WMIC) utility — a command-line interface for Windows Management Instrumentation (WMI), which is used for managing computers and servers as well as network discovery. Adversaries find it useful for the same purposes. They're trying to get into your environment, figure out what exists and what they can use to their advantage. The third command script in the chart shows the attackers tried one time to use the “wmic” command but misspelled it to “wminc.” Threat actors often make mistakes, and these can be useful clues. A hunt for the misspelled command may yield an event worth investigating (it would also be necessary to determine if the misspelled command was entered by an authorized user, which would indicate a false positive). These command-line arguments and technical indicators are useful to conduct threat hunts.
The advisory also contains indicators of compromise (IoCs) that are lower down on the Pyramid of Pain, which is the model of indicators that illustrates the relative difficulty threat actors have in changing them in order to evade detection. TTPs are at the top, while domain names, IPs and hash values are further down. The advisory contains these IoCs in Appendix B, which starts on page 36. Here is an excerpt:
If we think we have been attacked by Volt Typhoon, we can take the MD5 or SHA256 hashes of “brightmetricagent.exe” and search in our environment. IoCs such as hashes can be quick wins if a search results in a hit. They provide a quick answer to the question: “Do we see this in our environment?” But a negative hunt should not necessarily provide assurances. Threat actors frequently use crypters or packers to repack malicious code and tools, which means the lack of a detection on a single hash is no consolation. Searching for these kinds of indicators is necessary, of course. But hunting for behavior-related activity is a way to detect threat actors regardless of how their malware has been manipulated to evade signatures. To be more proactive, it’s better to focus on commands, LOTL binaries and command-line arguments that come with malicious activity.
Appendix C of CISA’s report contains a catalog of Volt Typhoon behaviors mapped to MITRE ATT&CK. Many of these techniques are seen across different threat groups, such as T1592, which is Gather Victim Host Information. It is possible to narrow down distinguishing features of a particular attack to formulate a better hypothesis about who the attacker may be. For example, we see that Volt Typhoon uses the Command and Scripting Interpreter technique (T1059) which involves manually entering PowerShell commands. Volt Typhoon also uses the same technique with the Unix shell. By picking different tactics or columns — such as valid accounts, exploitation or privilege escalation — it’s possible to paint a better picture.
If a threat hunt results in, say, five techniques that align with what Volt Typhoon uses, that could be a starting point for other hunts focused on other techniques that could be correlated to the same advanced persistent threat (APT) group. It’s not always going to be easy, and it takes some time, but that is the eventual goal. Another source for TTPs is MITRE ATT&CK, which has a list of threat groups along with TTPs associated with their activity. An analyst can then compare the TTPs in CISA’s report with MITRE ATT&CK, noting what has changed or what has stayed the same. This can aid in prioritizing what to threat hunt. If certain recent TTPs have been used in the majority of attacks, then those are the ones that could be prioritized in a hunt plan.
Intel 471 has created a Volt Typhoon hunt package collection, which is drawn from the threat intelligence reports that have been written about this group:
It isn’t an exhaustive list but covers the behaviors repeatedly used by the group. For example, one hunt package is “WMIC Windows Internal Discovery and Enumeration.” The overview describes the hunt’s goal: “This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.” The package contains pre-written threat hunt queries written in the comformant query language for a variety of SIEM and logging systems, including CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, Elastic, Microsoft Defender and Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk and Trend Micro Vision One.
Above is a query to search Splunk for endpoints running Windows System Monitor, known as sysmon. The query contains query logic that looks for the different WMIC parameters that can be used to discover information about machines on the network. The query is also written for activity that might indicate an adversary is using automation instead of hands-on-keyboard. The query is looking for several times of WMIC commands that have been running in under two minutes. The reason is that if the query is run without a time limit parameter, it is more likely to collect legitimate activity. Splunk also accommodates the where command, so the query has also been set to only trigger if the number of WMIC commands entered exceeds two queries within two minutes. The goal is to try and reduce as many false positives but at the same time leave enough wiggle room to catch malicious activity. If the query returns hits, the next step is to verify that those results match the query logic. In Splunk’s results, we see events that match the WMIC commands “get,” “path” and “list” from two different time frames and two different hosts.
There are ways to dig deeper. For example, the time bucket can be lengthened. It’s possible to follow the parent process as well.
Having a pre-written, validated hunt query ready to go allows analysts to save research time and time spent writing queries. Instead, they can progress deeper into an investigation and uncover if an adversary is inside an environment. Then, the intruder can be removed before an incident escalates. Happy hunting!
