Volt Typhoon is not a typical espionage group; they are a 'pre-positioning' actor. By 'Living off the Land' and avoiding custom malware, they have successfully burrowed into critical infrastructure to prepare for future sabotage. This report breaks down their latest campaigns in Australia and the US and provides actionable hunting queries for defenders.
In recent years, we have seen a deeply concerning evolution in Chinese targeting of US critical infrastructure. In particular, we have seen Chinese actors, including Volt Typhoon, burrowing deep into our critical infrastructure to enable destructive attacks in the event of a major crisis or conflict. [1]
Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. [2]
Microsoft assesses with high confidence that these activities are intended to enable future disruptive attacks.
Campaigns
| Campaign Target | Date | Key Technique / TTP | Strategic Objective | Reference Source |
|---|---|---|---|---|
| Australia Critical Infrastructure | Nov 2025 | T1190: Exploit Public-Facing Application (Telecom/Water sectors) | Pre-positioning for regional sabotage and disruption of essential services. | ASIO Intelligence Briefing |
| US Navy & Guam Logistics | 2023–2025 | T1078: Valid Accounts (Military & Satellite networks) | Intelligence gathering to slow military mobilisation during regional crises. | Microsoft Threat Intelligence |
| US Electric Grid (LELWD) | 2023 (300+ days) | T1003: OS Credential Dumping (OT system configurations) | Mapping physical and spatial layouts (GIS) of power grids for future destructive attacks. | Dragos / SecurityWeek |
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Observation/Evidence |
|---|---|---|---|
| Discovery | T1087.001 | Account Discovery: Local Account | Spyware Trojan used to collect account information from victims machine. |
| Resource Development | T1583.003 | Acquire Infrastructure: Virtual Private Server | KV Botnet Activity used acquired Virtual Private Servers as control systems for devices infected with KV Botnet malware. |
| Discovery | T1010 | Application Window Discovery | Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers |
| Discovery | T1217 | Browser Information Discovery | Has targeted the browsing history of network administrators |
ATT&CK Navigator Heat Map
Defender’s Recommendation
Harden the Edge (Initial Access)
- Volt Typhoon’s primary entry point is the exploitation of vulnerabilities in internet-facing edge devices (VPNs, firewalls, and routers).
- Vulnerability Management: Prioritize immediate patching of edge devices, specifically looking for CVEs in Ivanti Connect Secure, Fortinet FortiGate, and Citrix NetScaler.
- Attack Surface Reduction: Disable unnecessary services on edge devices (like web management interfaces) and restrict access to management ports to specific, trusted IP addresses via Access Control Lists (ACLs).
Monitor "Living off the Land" (Execution & Evasion)
- Because this group rarely uses custom malware, traditional antivirus often fails. They use legitimate system tools (netsh, wmic, powershell) to move through the network.
- Enhanced Logging: Enable Advanced Audit Policy Configuration to capture Command Line Arguments (Event ID 4688). Use a SIEM to alert on suspicious command strings, such as netsh interface portproxy (used for tunneling) or vssadmin delete shadows (used to clear footprints).
- PowerShell Security: Implement Constrained Language Mode and enable Script Block Logging (Event ID 4104) to detect obfuscated scripts used during the execution phase.
Secure Identity and Credentials (Lateral Movement)
- Once inside, Volt Typhoon attempts to blend in by using valid administrative credentials.
- Phishing-Resistant MFA: Move beyond SMS or push-based MFA to hardware-bound keys (FIDO2). Volt Typhoon has demonstrated the ability to bypass simpler MFA methods through session token theft.
- Tiered Administration: Implement a "Tiered Admin Model" where Domain Admin credentials are never used to log into lower-security workstations. This prevents the group from dumping high-privilege credentials from memory using techniques like OS Credential Dumping (T1003).
Network Egress & SOHO Monitoring (Command & Control)
- A hallmark of Volt Typhoon is their "KV Botnet"—a network of compromised SOHO (Small Office/Home Office) routers used to proxy their traffic and hide their true origin.
- Geoblocking & ISP Filtering: While difficult, monitor for unusual outbound traffic to residential IP ranges or ISPs not typically associated with your business partners.
- Beaconing Detection: Use Network Traffic Analysis (NTA) tools to look for consistent, low-volume "heartbeat" connections to external IPs, which may indicate a compromised internal host communicating with a proxy node.
Blast Radius Limitation (Impact)
- Network Segmentation: Ensure that critical infrastructure (OT/ICS) and sensitive data environments are segmented from the general corporate network. Volt Typhoon specifically targets "low-hanging fruit" in corporate environments to eventually pivot into critical systems.
Technical Assets:
To assist defenders in prioritizing their detection strategies, I have mapped these behaviours to the MITRE ATT&CK Framework. You can access the interactive heatmap and raw JSON code below:
Top comments (0)