FlagThis

← All Threat Actors
Threat Actor Profile

Volt Typhoon

BRONZE SILHOUETTE DazedToad Dev-0391 G1017 Insidious Taurus Storm-0391 UNC3236 VANGUARD PANDA VOLTZITE
▲ High Threat
[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises. [Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.
Origin China

Known TTPs

Network Service Discovery
File and Directory Discovery
Identify Roles
Process Discovery
Remote Desktop Protocol
Server
Proxy
Software Discovery
Valid Accounts
Network Devices
Keylogging
Match Legitimate Resource Name or Location
Masquerade File Type
Windows Command Shell
Exploit Public-Facing Application
Credentials from Password Stores
Data Staged
Gather Victim Network Information
Archive via Utility
System Time Discovery
Domain Groups
System Network Configuration Discovery
Remote System Discovery
Windows Management Instrumentation
External Remote Services
Deobfuscate/Decode Files or Information
Lateral Tool Transfer
Search Open Websites/Domains
Local Storage Discovery
Email Addresses
System Checks
NTDS
Software Packing
Symmetric Cryptography
LSASS Memory
Clear Windows Event Logs
Botnet
Gather Victim Host Information
System Network Connections Discovery
Local Account
Browser Information Discovery
PowerShell
Log Enumeration
Exploitation for Privilege Escalation
Screen Capture
Internal Proxy
Exploits
Multi-hop Proxy
Search Victim-Owned Websites
System Owner/User Discovery
Modify Registry
Web Shell
System Binary Proxy Execution
Unix Shell
System Service Discovery
Permission Groups Discovery
Virtual Private Server
Credentials from Web Browsers
Gather Victim Org Information
Network Topology
Application Window Discovery
Local Groups
Peripheral Device Discovery
File Deletion
Vulnerabilities
Ingress Tool Transfer
Unsecured Credentials
Domain Accounts
Data from Local System
Direct Volume Access
Query Registry
Gather Victim Identity Information
Tool
Scan Databases
Domain Account
System Location Discovery
Clear Network Connection History and Configurations
Internet Connection Discovery
Private Keys
Local Data Staging
Network Security Appliances

External Resources

MITRE ATT&CK Groups ↗ CISA Advisories ↗ Mandiant APT Groups ↗

Related Intelligence

Hacking the mainframe…
LINK COPIED TO CLIPBOARD