{ "Event": { "analysis": "1", "date": "2023-05-25", "extends_uuid": "", "info": "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques", "publish_timestamp": "1685018040", "published": true, "threat_level_id": "1", "timestamp": "1685017968", "uuid": "99f9138a-c8f8-44aa-9a0c-3736d74c2df3", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:clear", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:threat-actor=\"Volt Typhoon\"", "relationship_type": "attributed-to" }, { "colour": "#80ff00", "local": "0", "name": "PAP:WHITE", "relationship_type": "" }, { "colour": "#0029ff", "local": "0", "name": "estimative-language:confidence-in-analytic-judgment=\"high\"", "relationship_type": "" }, { "colour": "#001fc2", "local": "0", "name": "estimative-language:likelihood-probability=\"almost-certain\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "caf478de-2028-433d-9e82-baffa008a725", "value": "baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "5820d57a-36dd-41a2-8929-7b65c7a31e10", "value": "b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "5e85498a-ab77-4bdd-9c4d-c487af7f3a9d", "value": "4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "79b36e41-5afa-45a8-819f-8ce14a244e63", "value": "c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "5d815c89-d033-4f51-adc7-54a7e6bb767c", "value": "d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "3799a251-c70f-4bff-b5f2-d6d70365405b", "value": "9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "c20e9eea-5efe-4f45-9e12-49172ece7ae7", "value": "450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "d97b0251-de30-47ca-9083-f28825d74fb1", "value": "93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "76525562-d372-4a11-bf7a-7fde13ffcad9", "value": "7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "41051bd7-dcd4-4d71-b6bc-86a319471ddc", "value": "389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "201ac5e2-5f71-4e98-b0d8-3553e0046ba8", "value": "c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "a49bdd1d-7b9a-43f1-910d-95dd5959897d", "value": "e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "b276b34a-445e-4911-8ada-7c1fbd4e4136", "value": "6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "6743cc38-1969-4f62-94ed-8906f9ecd92c", "value": "cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "03a7a6f0-65e5-4f7a-b51b-ce5e11be512a", "value": "17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "5fac7348-c968-4830-a13c-1e1d8f5823fb", "value": "8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "515a8a8b-997a-4a03-830a-ff8dc7b70305", "value": "d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "e5c82077-9dab-4ccb-a7f1-81d0ce0f5265", "value": "472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d" }, { "category": "Payload delivery", "comment": "Volt Typhoon custom FRP executable", "deleted": false, "disable_correlation": false, "timestamp": "1685017075", "to_ids": true, "type": "sha256", "uuid": "9e7c0a43-90e2-44d9-aa08-0e767079a8e1", "value": "3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1685017351", "uuid": "30ab4301-b22a-4d83-998f-6aaa22096a62", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1685017351", "to_ids": false, "type": "link", "uuid": "4ce5786d-52f4-441c-a309-c87cd013cf35", "value": "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1685017351", "to_ids": false, "type": "text", "uuid": "f329bd33-5455-44d9-859e-c4566fc52abe", "value": "Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.\r\n\r\nVolt Typhoon has been active since mid-2021 and has targeted critical infrastructure organizations in Guam and elsewhere in the United States. In this campaign, the affected organizations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1685017351", "to_ids": false, "type": "text", "uuid": "8a276b8a-a5ea-41e1-bcaa-813e7bdcf2cf", "value": "Blog" } ] }, { "comment": "", "deleted": false, "description": "An object describing a query, along with its format.", "meta-category": "misc", "name": "query", "template_uuid": "006539b3-f68a-4a02-a213-e600762d39b5", "template_version": "3", "timestamp": "1685017729", "uuid": "4f64f54c-23a2-49a5-99df-4b86056a0a78", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "author", "timestamp": "1685017729", "to_ids": false, "type": "text", "uuid": "9b384e5d-b72b-413e-bcc6-5bb4cf010da0", "value": "Microsoft" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1685017729", "to_ids": false, "type": "comment", "uuid": "ca3b5f53-3f3f-42ff-99c1-4ebf7686ed64", "value": "Find commands creating domain controller installation media\r\n\r\nThis query can identify domain controller installation media creation commands similar to those used by Volt Typhoon." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "format", "timestamp": "1685017729", "to_ids": false, "type": "text", "uuid": "d30cb85c-2c75-4812-ae7e-8225eb103fdc", "value": "Kusto Query Language" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "query", "timestamp": "1685017729", "to_ids": false, "type": "text", "uuid": "81929868-fe20-4a53-9314-681d91c77a17", "value": "DeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"ntdsutil\", \"create full\", \"pro\")" } ] }, { "comment": "", "deleted": false, "description": "An object describing a query, along with its format.", "meta-category": "misc", "name": "query", "template_uuid": "006539b3-f68a-4a02-a213-e600762d39b5", "template_version": "3", "timestamp": "1685017773", "uuid": "2b7207ab-964b-4194-a6b1-e76ab73d7880", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "author", "timestamp": "1685017773", "to_ids": false, "type": "text", "uuid": "f04ffb2c-5e38-4f25-8571-d68dbc2a7f56", "value": "Microsoft" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1685017773", "to_ids": false, "type": "comment", "uuid": "7f0f896f-4a3b-4846-beb3-fcaaa2d87695", "value": "Find commands establishing internal proxies\r\n\r\nThis query can identify commands that establish internal proxies similar to those used by Volt Typhoon." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "format", "timestamp": "1685017773", "to_ids": false, "type": "text", "uuid": "64030711-7426-46a0-8b71-e150f2456828", "value": "Kusto Query Language" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "query", "timestamp": "1685017773", "to_ids": false, "type": "text", "uuid": "5cc994af-98d2-47f3-aba5-a7661a725b49", "value": "DeviceProcessEvents\r\n| where ProcessCommandLine has_all (\"portproxy\", \"netsh\", \"wmic\", \"process call create\", \"v4tov4\")" } ] }, { "comment": "", "deleted": false, "description": "An object describing a query, along with its format.", "meta-category": "misc", "name": "query", "template_uuid": "006539b3-f68a-4a02-a213-e600762d39b5", "template_version": "3", "timestamp": "1685017809", "uuid": "2a853f23-a597-4334-b252-c8a100b63207", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1685017809", "to_ids": false, "type": "comment", "uuid": "2e619fd0-00bb-4ce6-b93e-317542ab06ac", "value": "Find detections of custom FRP executables\r\n\r\nThis query can identify alerts on files that match the SHA-256 hashes of known Volt Typhoon custom FRP binaries." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "format", "timestamp": "1685017809", "to_ids": false, "type": "text", "uuid": "3cc3f3b0-a0b4-4676-b66d-74f6b8b7131d", "value": "Kusto Query Language" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "query", "timestamp": "1685017809", "to_ids": false, "type": "text", "uuid": "a08845b2-bd17-472e-a844-a7ed70aca729", "value": "AlertEvidence\r\n| where SHA256 in \r\n('baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c', \r\n'b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74', \r\n'4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349', \r\n'c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d', \r\n'd6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af', \r\n'9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a', \r\n'450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267', \r\n'93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066', \r\n'7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5', \r\n'389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61', \r\n'c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b', \r\n'e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95', \r\n'6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff', \r\n'cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984', \r\n'17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4', \r\n'8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2', \r\n'd17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295', \r\n'472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d', \r\n'3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642')" } ] } ] } }