🌀

Volt Typhoon

Aliases

Insidious Taurus (PA), Vanguard Panda, DEV-0391

Tags

State-Sponsored

Attribution

🇨🇳

Incidents

Cyberoam breach (2018)

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038ahttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Last edited

Nov 21, 2024 12:10 PM

Status

Finalized

Cloud-fluent

Targeted geography

United States/North America

Targeted industries

TelecommunicationEnergy

Volt Typhoon, a state-sponsored APT group linked to the PRC, targets U.S. critical infrastructure, particularly operational technology (OT) environments like communications, energy, and water systems. The group maintains persistence for future attacks using stealthy tactics. It operates under various aliases, including Vanguard Panda and DEV-0391.

According to CISA, Volt Typhoon actors may have attempted to move laterally from on-premises to a cloud environment in at least one case, but attribution was inconclusive. Investigation revealed anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of NTDS.dit. These attempts, coupled with misconfigured virtual machines with open RDP ports, suggested a potential for cloud-based lateral movement.