China As a Cyber Adversary

As a recent project of mine, I wrote a Cyber Threat Intelligence (CTI) report for the LinkedIn community, in which I detailed information gathered from open sources about a prevalent cyber adversary group called Volt Typhoon. You can download the full 16-page report by clicking the link below, but for a compressed summary of my findings, read on!

Who/What is Volt Typhoon?

Volt Typhoon (also known as BRONZE SILHOUETTE) are a state-sponsored cyber Advanced Persistent Threat (APT) supported by the People’s Republic of China (PRC) with the earliest known activity being in 2021. This group specialises in espionage and information gathering, as well as targeting critical infrastructure with reported cases in the United States and Guam. Volt Typhoon’s operations are characterized by precise planning, custom malware deployments, and stealthy infiltration techniques, making them one of the most formidable cyber adversaries nowadays.

Whilst their targets have primarily been in the US, it is important for Australians to be aware and alert with regards to the possibility of being the next target for this threat. Globally we are seeing a rise in tensions in the Indo-Pacific region, with displays of force from China against Taiwan, and with high-risk military activities between Chinese and Australian military aircrafts. These demonstrations and behaviours from China show we should not rule out the possibility of a state-supported cyber attack from an APT such as Volt Typhoon.

How Does Volt Typhoon Remain Undetected?

One of the techniques used by Volt Typhoon which makes them difficult to detect is Living Off The Land. This is where a threat actor utilises tools and software that commonly operate in the target’s environment which makes their activities blend in with the network traffic and therefore remain unnoticeable. Unlike the typical malware attack in which the victim unintentionally downloads and installs malicious software which is then used by the attacker to execute scripts, LOTL attacks are fileless. There is no downloading of malware which typically makes a lot of ‘noise’, being fileless makes these attacks stealthy and difficult to detect. In order to execute their attacks, Volt Typhoon utilises tools already present in the victim’s environment, such as command and scripting interpreters, which may not flag in detection software.

Who/What Are Volt Typhoon’s Targets?

Being a state-based threat actor focusing on government espionage and national disruption, Volt Typhoon has multiple target sectors based on previous attacks conducted against U.S and Guam targets:

• Energy: The group has shown interest in energy sectors, including power grids and oil & gas installations. Compromising such entities can provide both intelligence and potential disruption capabilities.

• Defence: Military installations, defence contractors, and research institutions have been prime targets, likely to gather intelligence on defence capabilities, strategies, and emerging technologies.

• Critical Infrastructure: Beyond energy, other critical infrastructures like transportation, water supply, and healthcare have also been in their crosshairs

• Telecommunications: Telecommunication sectors offer a wealth of data, from communication intercepts to infrastructure details, making them a valuable target.

Microsoft intelligence analysts have reported with moderate confidence that Volt Typhoon’s campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the U.S and Asia region during future crises. Based on this information it is also reasonable to anticipate that these capabilities could also be utilised to disrupt Australian communications to the U.S and Asia in the event of a military escalation and subsequent campaign in the South-China Sea, most notably an attack on Taiwan from China.

Could Australia Be Attacked & What Would That Look Like?

• Continued Reconnaissance: It is most likely Volt Typhoon will continue to conduct stealthy reconnaissance operations on the same target sectors outlined in this report. There is a high likelihood they currently have undetected access to systems with a potential to have access to systems containing sensitive U.S Defence information.

• Target Expansion: It is most likely Volt Typhoon will continue to target the U.S whilst also expanding their target countries to Canada, the United Kingdom, Australia and New Zealand.

There is a possibility that Volt Typhoon already have access to Australian sensitive or critical environments where they will continue to gain intelligence on our systems and procedures, but in a worst-case scenario, their actions could include:

• Critical Infrastructure Sabotage: This would involve direct targeting of energy, water, communications, export, and fuel sectors and could involve the deployment of wiperware, a destructive form of malware designed to shut down services and render them unrecoverable.

• Defence Establishment Targeting: This would involve targeting and disruption of communications, surveillance and target acquisition services employed by defence forces. Specific to Australia, this could include direct targeting of systems in northern military establishments, such as Robertson Barracks (Darwin), Lavarack Barracks (Townsville) and Gallipoli Barracks (Brisbane). The intent would be to disrupt military capabilities and impede Australia’s ability to provide military support to Taiwan, and defend itself.

• Highly-Sensitive Data Exfiltration: Volt Typhoon are highly capable of moving around a network and collecting information undetected. This raises the possibility of exfiltration of highly-sensitive data which could compromise national security.

Summary and Mitigation

Whilst Australia has not yet seen a direct attack from Volt Typhoon, with tensions between China and Taiwan rising, it is reasonable to expect Volt Typhoon to be involved if/when Australia interferes with China’s attack. Whilst the everyday Australian is not a direct target of Volt Typhoon, we all need to be aware and protected against cyber threats in general. This can be achieved through:

• Robust password management

• Least-privilege access control

• Implementing multi-factor authentication (MFA)

• Regular software updates

• Regular backup of important data

• Cyber awareness.

References:

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_ Living_off_the_Land.PDF

MITRE ATT&CK - Volt Typhoon https://attack.mitre.org/groups/G1017/

Microsoft - Volt Typhoon targets US critical infrastructure with living-off-the-land techniques https://www.microsoft.com/enus/security/blog/2023/05/24/volt-typhoon-targets-us-criticalinfrastructure-with-living-off-the-land-techniques/

SOC Radar - APT Profile: Volt Typhoon https://socradar.io/apt-profile-volt-typhoon/

Cyber Security Associates - Threat Hunting Report: Volt Typhoon https://csa.limited/blog/20240412-Threat-Report-VoltTyphoon.html

Cyber Daily - Australia and Five Eyes allies issue new Volt Typhoon advisory https://www.cyberdaily.au/security/10349-australia-and-fiveeyes-allies-issue-new-volt-typhoon-advisory