Living Off the Land: Unmasking Volt Typhoon

[Post 26 – 30 in 30]

In the digital age, the battlefield has extended beyond physical borders. The war is no longer fought only with guns and bombs, but with codes and algorithms. Cybersecurity, once a niche field, has become a paramount concern for governments, corporations, and individuals alike. A recent joint advisory from Canada, the United States, and international cybersecurity authorities has shed light on a new cyber threat that’s been lurking in the shadows, known as Volt Typhoon.

Who is Volt Typhoon?

Volt Typhoon is not a person, but a collective, a state-sponsored cyber actor from the People’s Republic of China. This group has been identified as a significant threat to cybersecurity. But what sets this actor apart from others? It’s their use of “living off the land” tactics.

These tactics involve using built-in network administration tools such as wmic, ntdsutil, netsh, and PowerShell. By using these tools, Volt Typhoon can blend in with normal Windows system and network activities. This makes their activities difficult to detect. It’s like a chameleon blending into its surroundings, invisible to the untrained eye.

[An infographic showing a flowchart of "living off the land" tactics used by Volt Typhoon. The flowchart starts with the actor gaining access to the system, then using built-in tools like PowerShell, and finally evading detection by blending in with normal activities.]

The Risks

The risk associated with Volt Typhoon’s activities is significant. By blending in with normal system activities, they can evade detection and carry out malicious activities unnoticed. This could potentially lead to unauthorized access to sensitive information, disruption of network operations, and even damage to critical infrastructure.

Imagine a thief who doesn’t need to break into a house because they have the keys. They can come and go as they please, taking whatever they want, and you wouldn’t even know they were there. That’s the kind of threat we’re dealing with.

But it’s not just about stealing information. The potential for disruption and damage is immense. Critical infrastructure like power grids, water supply systems, and communication networks could be targeted, leading to widespread chaos and disruption.

According to Microsoft, Volt Typhoon has been targeting critical infrastructure organizations across the United States, including Guam, an island hosting multiple military bases, since at least mid-2021.

Their targets span a wide range of critical sectors, including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

Mitigating the Threat

So, how do we protect ourselves from this invisible threat? The joint advisory provides several key recommendations to mitigate the risks associated with Volt Typhoon’s activities. Here’s a simplified breakdown:

  1. Monitor and Audit: Keep a close eye on network activity. Look for any unauthorized changes in firewall configurations and any abnormal account activity. It’s like installing security cameras in your house. You want to be able to see if anyone is trying to break in.
  2. Centralized Logging: Forward all log files to a hardened centralized logging server, preferably on a segmented network. This makes it harder for an actor to cover their tracks. It’s like having a security guard who keeps a record of everyone who comes in and out of the building.
  3. Audit Policy: Set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events”. This will create Event ID 4688 entries in the Windows Security log to view command line processes. It’s like having a fingerprint scanner at the entrance. You want to know exactly who is accessing your systems.
  4. Logging WMI and PowerShell Events: To hunt for the malicious Windows Management Instrumentation (WMI) and PowerShell activity, log WMI and PowerShell events. These tools are often used by cyber actors, so keeping an eye on their usage can help detect malicious activities.
  5. Monitor for Event ID 1102: This event is generated when the audit log is cleared. All Event ID 1102 entries should be investigated as logs are rarely cleared under normal circumstances. It’s like checking if the security camera footage has been tampered with. If the logs are cleared, it could be a sign that someone is trying to hide their tracks.
[A diagram showing a network with centralized logging, audit policies, and monitoring in place. Each component is labeled and arrows show the flow of information, illustrating how these strategies work together to detect and respond to threats.]

The Bigger Picture

While these recommendations are a good starting point, cybersecurity is a complex field that requires a comprehensive approach. It’s not just about setting up firewalls and installing antivirus software. It’s about understanding the threats, knowing how to detect them, and being prepared to respond when they occur.

Education and awareness are crucial. Everyone who uses digital devices and networks needs to understand the basics of cybersecurity. This includes recognizing phishing attempts, using strong, unique passwords, and keeping software and systems up to date. It’s also important to be aware of the latest vulnerabilities, threats and to stay informed about the latest cybersecurity best practices.

In addition to individual actions, organizations need to have robust cybersecurity policies and procedures in place. This includes regular security audits, incident response plans, and ongoing training for staff. It’s also important to foster a culture of security, where everyone understands the importance of cybersecurity and takes responsibility for maintaining it.

Governments also have a role to play. This includes enacting legislation to protect against cybercrime, investing in cybersecurity infrastructure, and cooperating with other countries to respond to cyber threats. The joint advisory on Volt Typhoon is a good example of this kind of international cooperation.

Thanks for reading this far.

My aim with this campaign is to provide readers with valuable content, insights, and inspiration that can help in their personal and professional lives. Whether you’re looking to improve your productivity, enhance your creative strategies, or simply stay up-to-date with the latest news and ideas in cybersecurity, I’ve got something for you.

But this campaign isn’t just about sharing our knowledge and expertise with you. It’s also about building a community of like-minded IT and security focused individuals who are passionate about learning, growing, and collaborating. By subscribing to the blog and reading every day, you’ll have the opportunity to engage with other readers, share your own insights and experiences, and connect with people in the industry.

So why should you read every day and subscribe? Well, for starters, you’ll be getting access to some great content that you won’t find anywhere else. From practical tips and strategies to thought-provoking insights and analysis, the blog has something for everyone that wants to get current and topical cybersecurity information. Plus, by subscribing, you’ll never miss a post, so you can stay on top of the latest trends and ideas in the field.

But perhaps the biggest reason to join the 30-in-30 campaign is that it’s a chance to be part of something bigger than yourself. By engaging with the community, sharing your thoughts and ideas, and learning from others, you’ll be able to grow both personally and professionally. So what are you waiting for? Subscribe, and for the next 30 days and beyond, let’s learn, grow, and achieve our goals together!

One thought on “Living Off the Land: Unmasking Volt Typhoon

Comments are closed.