🌀

Volt Typhoon

Aliases

Insidious Taurus (PA)

Tags

State-Sponsored

Attribution

🇨🇳

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038ahttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Last edited

Aug 25, 2024 7:46 AM

Status

Stub

Cloud-fluent

According to CISA, Volt Typhoon actors may have attempted to move laterally from on-premises to a cloud environment in at least one case, but attribution was inconclusive. Investigation revealed anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of NTDS.dit. These attempts, coupled with misconfigured virtual machines with open RDP ports, suggested a potential for cloud-based lateral movement.