Description
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017)'s targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)
Techniques Used (TTPs)
- T1046 — Network Service Discovery (discovery)
- T1083 — File and Directory Discovery (discovery)
- T1591.004 — Identify Roles (reconnaissance)
- T1057 — Process Discovery (discovery)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1584.004 — Server (resource-development)
- T1090 — Proxy (command-and-control)
- T1518 — Software Discovery (discovery)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1584.008 — Network Devices (resource-development)
- T1056.001 — Keylogging (collection, credential-access)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1036.008 — Masquerade File Type (defense-evasion)
- T1059.003 — Windows Command Shell (execution)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1555 — Credentials from Password Stores (credential-access)
- T1074 — Data Staged (collection)
- T1070.001 — Clear Windows Event Logs (defense-evasion)
- T1590 — Gather Victim Network Information (reconnaissance)
- T1560.001 — Archive via Utility (collection)
- T1124 — System Time Discovery (discovery)
- T1069.002 — Domain Groups (discovery)
- T1016 — System Network Configuration Discovery (discovery)
- T1018 — Remote System Discovery (discovery)
- T1047 — Windows Management Instrumentation (execution)
- T1133 — External Remote Services (persistence, initial-access)
- T1570 — Lateral Tool Transfer (lateral-movement)
- T1593 — Search Open Websites/Domains (reconnaissance)
- T1082 — System Information Discovery (discovery)
- T1589.002 — Email Addresses (reconnaissance)
- T1497.001 — System Checks (defense-evasion, discovery)
- T1003.003 — NTDS (credential-access)
- T1027.002 — Software Packing (defense-evasion)
- T1573.001 — Symmetric Cryptography (command-and-control)
- T1003.001 — LSASS Memory (credential-access)
- T1584.005 — Botnet (resource-development)
- T1592 — Gather Victim Host Information (reconnaissance)
- T1049 — System Network Connections Discovery (discovery)
- T1087.001 — Local Account (discovery)
- T1217 — Browser Information Discovery (discovery)
- T1059.001 — PowerShell (execution)
- T1654 — Log Enumeration (discovery)
- T1068 — Exploitation for Privilege Escalation (privilege-escalation)
- T1113 — Screen Capture (collection)
- T1090.001 — Internal Proxy (command-and-control)
- T1587.004 — Exploits (resource-development)
- T1090.003 — Multi-hop Proxy (command-and-control)
- T1594 — Search Victim-Owned Websites (reconnaissance)
- T1033 — System Owner/User Discovery (discovery)
- T1112 — Modify Registry (defense-evasion, persistence)
- T1505.003 — Web Shell (persistence)
- T1218 — System Binary Proxy Execution (defense-evasion)
- T1059.004 — Unix Shell (execution)
- T1007 — System Service Discovery (discovery)
- T1069 — Permission Groups Discovery (discovery)
- T1584.003 — Virtual Private Server (resource-development)
- T1555.003 — Credentials from Web Browsers (credential-access)
- T1591 — Gather Victim Org Information (reconnaissance)
- T1590.004 — Network Topology (reconnaissance)
- T1010 — Application Window Discovery (discovery)
- T1069.001 — Local Groups (discovery)
- T1120 — Peripheral Device Discovery (discovery)
- T1070.004 — File Deletion (defense-evasion)
- T1588.006 — Vulnerabilities (resource-development)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1552 — Unsecured Credentials (credential-access)
- T1078.002 — Domain Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1005 — Data from Local System (collection)
- T1006 — Direct Volume Access (defense-evasion)
- T1012 — Query Registry (discovery)
- T1589 — Gather Victim Identity Information (reconnaissance)
- T1588.002 — Tool (resource-development)
- T1596.005 — Scan Databases (reconnaissance)
- T1087.002 — Domain Account (discovery)
- T1614 — System Location Discovery (discovery)
- T1070.007 — Clear Network Connection History and Configurations (defense-evasion)
- T1016.001 — Internet Connection Discovery (discovery)
- T1552.004 — Private Keys (credential-access)
- T1074.001 — Local Data Staging (collection)
- T1590.006 — Network Security Appliances (reconnaissance)
Total TTPs: 80