A China-linked state-backed threat actor has been targeting the US critical infrastructure, including multiple electric companies, emergency management services, telecommunications, satellite services, and the defense industrial base, since early 2023, according to a new report from industrial cybersecurity firm Dragos.

Volt Typhoon, which Dragos tracks as VOLTZITE, employs various techniques to gain access to targeted organizations' networks.

To gain access to the victim network, the group compromises external network perimeter applications and assets such as SOHO routers and virtual private network gateways, (Fortinet FortiGuard, PRTG Network Monitor appliances, FatePipe WARP, Ivanti Connect Secure VPN, Cisco ASA, and ManageEngine ADSelfService Plus). Once within the target’s network, the attackers leverage LOTL techniques and stolen credentials to move through the network.

One of the methods employed by Volt Typhoon involves stealing credentials for lateral movement within the network. The group utilizes tools like csvde.exe to import and export data from Active Directory Domain Services and extracts the NTDS.dit Active Directory database from domain controllers using volume shadow copies. This database contains crucial information, including user passwords, allowing adversaries to authenticate as users and gain deeper access to the network.

Once Volt Typhoon infiltrates a network and deploys a web shell, their typical course of action involves familiarizing themselves with the environment using Windows native tools like 'whoami' or 'tasklist'.

“To date, Dragos has only observed VOLTZITE operations achieving Stage 1 of the ICS Cyber Kill Chain. They have not yet displayed actions or capabilities designed to disrupt, degrade, or destroy ICS/OT assets or operations. However, their persistent targeting of critical infrastructure entities and observed capabilities could result in aiding the development of an ICS-capable disruption tool,” the company said.

While Volt Typhoon has been observed since early 2023, there are indications that the group may have been active as far back as 2021, with potential overlaps with another threat group known as Kostovite, a threat actor observed targeting the industrial sector in North America and Australia. This group has overlaps with UNC2630, a Chinese-speaking cyber threat group, and is associated with 12 malware families.

Earlier this month, the FBI and US Department of Justice took down the KV Botnet operated by Volt Typhoon, which had compromised hundreds of US-based routers used by small businesses and home offices.

The law enforcement operation deleted the KV Botnet malware from the routers and severed their connection to the botnet, blocking communications with other devices used to control the botnet. Since the takedown, Volt Typhoon has been attempting to re-build their command and control (C2) structure and return the botnet to working order, but with no success.

The US cyber defense agencies warned last week that Chinese government-backed hackers have infiltrated critical infrastructure networks within the United States for at least the past five years with the goal of launching disruptive or destructive cyberattacks.