Agencies Warn of State-Sponsored Volt Typhoon’s Hacking Tactics

WhataWin/Getty Images

In collaboration with international and private sector partners, CISA released a new advisory warning network defenders of PRC-linked Volt Typhoon’s infiltration tactics. 

Federal agencies added another state-sponsored cyber threat to the growing catalog of digital dangers on Thursday, naming Volt Typhoon as a malicious cyber actor with ties to the Chinese government in a new multi-agency advisory. 

Issued by the Cybersecurity and Infrastructure Security Agency, the National Security Agency  and the Federal Bureau of Investigation alongside international security organizations based in Australia, New Zealand, Canada, and the United Kingdom––a collective known as the Five Eyes––the notice discusses Volt Typhoon’s signature techniques and attack patterns.

Among its defining traits are infiltrating private networks by blending in with normal Windows system activities to avoid detection. Built-in tools this actor often utilizes include wmic, ntdsutil, netsh and PowerShell—code first identified by Microsoft as the company warned of Volt Typhoon’s employment of these tactics to interrupt critical infrastructure operations. 

The government advisory builds on Microsoft and other private sector partners’ initial warnings about Volt Typhoon.

“The authoring agencies are aware of recent People’s Republic of China (PRC) state-sponsored cyber activity and have identified potential indicators associated with these techniques,” the advisory reads. “This advisory will help net defenders hunt for this activity on their systems.”

A larger document released as part of the advisory provides specific examples of Volt Typhoon code used in infected networks. It also contains best practices surrounding investigating potentially malicious findings in private networks. 

“Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behavior,” the document states.

This advisory, compiled by both public and private sector organizations, highlights the ongoing and growing threat state-sponsored cyber actors pose to U.S. critical infrastructure operations, against the backdrop of  U.S. tensions with China and Russia’s continued invasion into Ukraine. 

Given the mounting digital threat these actors pose, federal law enforcement had previously identified protecting U.S. intellectual property as a chief concern in ongoing cybersecurity policies. 

To help combat cyber incidents, a similar cohort of agencies including CISA, the FBI and NSA released an updated 2023 version of their Stop Ransomware guide to better reflect recent hacking trends and new best practices.