Volt Typhoon
Aliases: BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, UNC3236, Voltzite, Insidious Taurus
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.
Open interactive actor investigation
ATT&CK techniques
T1046
Network Service DiscoveryT1083
File and Directory DiscoveryT1591.004
Identify RolesT1057
Process DiscoveryT1021.001
Remote Desktop ProtocolT1584.004
ServerT1090
ProxyT1518
Software DiscoveryT1078
Valid AccountsT1584.008
Network DevicesT1056.001
KeyloggingT1036.005
Match Legitimate Name or LocationT1036.008
Masquerade File TypeT1059.003
Windows Command ShellT1190
Exploit Public-Facing ApplicationT1555
Credentials from Password StoresT1074
Data StagedT1070.001
Clear Windows Event LogsT1590
Gather Victim Network InformationT1560.001
Archive via UtilityT1124
System Time DiscoveryT1069.002
Domain GroupsT1016
System Network Configuration DiscoveryT1018
Remote System DiscoveryT1047
Windows Management InstrumentationT1133
External Remote ServicesT1570
Lateral Tool TransferT1593
Search Open Websites/DomainsT1082
System Information DiscoveryT1589.002
Email AddressesT1497.001
System ChecksT1003.003
NTDST1027.002
Software PackingT1573.001
Symmetric CryptographyT1003.001
LSASS MemoryT1584.005
BotnetT1592
Gather Victim Host InformationT1049
System Network Connections DiscoveryT1087.001
Local AccountT1217
Browser Information DiscoveryT1059.001
PowerShellT1654
Log EnumerationT1068
Exploitation for Privilege EscalationT1113
Screen CaptureT1090.001
Internal ProxyT1587.004
ExploitsT1090.003
Multi-hop ProxyT1594
Search Victim-Owned WebsitesT1033
System Owner/User DiscoveryT1112
Modify RegistryT1505.003
Web ShellT1218
System Binary Proxy ExecutionT1059.004
Unix ShellT1007
System Service DiscoveryT1069
Permission Groups DiscoveryT1584.003
Virtual Private ServerT1555.003
Credentials from Web BrowsersT1591
Gather Victim Org InformationT1590.004
Network TopologyT1010
Application Window DiscoveryT1069.001
Local GroupsT1120
Peripheral Device DiscoveryT1070.004
File DeletionT1588.006
VulnerabilitiesT1105
Ingress Tool TransferT1552
Unsecured CredentialsT1078.002
Domain AccountsT1005
Data from Local SystemT1006
Direct Volume AccessT1012
Query RegistryT1589
Gather Victim Identity InformationT1588.002
ToolT1596.005
Scan DatabasesT1087.002
Domain AccountT1614
System Location DiscoveryT1070.007
Clear Network Connection History and ConfigurationsT1016.001
Internet Connection DiscoveryT1552.004
Private KeysT1074.001
Local Data StagingT1590.006
Network Security Appliances
Network Service DiscoveryT1083
File and Directory DiscoveryT1591.004
Identify RolesT1057
Process DiscoveryT1021.001
Remote Desktop ProtocolT1584.004
ServerT1090
ProxyT1518
Software DiscoveryT1078
Valid AccountsT1584.008
Network DevicesT1056.001
KeyloggingT1036.005
Match Legitimate Name or LocationT1036.008
Masquerade File TypeT1059.003
Windows Command ShellT1190
Exploit Public-Facing ApplicationT1555
Credentials from Password StoresT1074
Data StagedT1070.001
Clear Windows Event LogsT1590
Gather Victim Network InformationT1560.001
Archive via UtilityT1124
System Time DiscoveryT1069.002
Domain GroupsT1016
System Network Configuration DiscoveryT1018
Remote System DiscoveryT1047
Windows Management InstrumentationT1133
External Remote ServicesT1570
Lateral Tool TransferT1593
Search Open Websites/DomainsT1082
System Information DiscoveryT1589.002
Email AddressesT1497.001
System ChecksT1003.003
NTDST1027.002
Software PackingT1573.001
Symmetric CryptographyT1003.001
LSASS MemoryT1584.005
BotnetT1592
Gather Victim Host InformationT1049
System Network Connections DiscoveryT1087.001
Local AccountT1217
Browser Information DiscoveryT1059.001
PowerShellT1654
Log EnumerationT1068
Exploitation for Privilege EscalationT1113
Screen CaptureT1090.001
Internal ProxyT1587.004
ExploitsT1090.003
Multi-hop ProxyT1594
Search Victim-Owned WebsitesT1033
System Owner/User DiscoveryT1112
Modify RegistryT1505.003
Web ShellT1218
System Binary Proxy ExecutionT1059.004
Unix ShellT1007
System Service DiscoveryT1069
Permission Groups DiscoveryT1584.003
Virtual Private ServerT1555.003
Credentials from Web BrowsersT1591
Gather Victim Org InformationT1590.004
Network TopologyT1010
Application Window DiscoveryT1069.001
Local GroupsT1120
Peripheral Device DiscoveryT1070.004
File DeletionT1588.006
VulnerabilitiesT1105
Ingress Tool TransferT1552
Unsecured CredentialsT1078.002
Domain AccountsT1005
Data from Local SystemT1006
Direct Volume AccessT1012
Query RegistryT1589
Gather Victim Identity InformationT1588.002
ToolT1596.005
Scan DatabasesT1087.002
Domain AccountT1614
System Location DiscoveryT1070.007
Clear Network Connection History and ConfigurationsT1016.001
Internet Connection DiscoveryT1552.004
Private KeysT1074.001
Local Data StagingT1590.006
Network Security Appliances
