Cyberattacks on critical infrastructure are becoming increasingly sophisticated, with state-sponsored actors employing stealthy and persistent techniques. One such attack, Volt Typhoon, targeted the U.S. and its allies, leveraging Living off the Land (LotL) techniques to evade detection. This article explores the attack, its methods, and the necessary defensive measures to counter such threats.

What is Volt Typhoon?

Volt Typhoon is a state-sponsored cyberattack attributed to China, first disclosed by Microsoft and CISA in May 2023. This espionage-driven attack focused on critical infrastructure sectors, including:

• Communications
• Manufacturing
• Maritime operations
• IT services
• Utility providers

The attack was particularly concerning as it aimed for long-term access rather than immediate disruption, allowing the attackers to maintain persistence for future exploitation.

How Did Volt Typhoon Operate?

The attackers used a combination of LotL techniques, proxy tunneling, and credential dumping to achieve their objectives.

1. Initial Access: Exploiting Network Devices

Volt Typhoon gained access through internet-facing management portals of small office/home office (SOHO) network devices, such as:

• ASUS, Cisco, D-Link, Netgear routers and firewalls
• Other publicly exposed network appliances

These devices often run outdated firmware, making them vulnerable to known security flaws (CVEs). While exact vulnerabilities weren’t disclosed, historical advisories indicate that similar attacks have exploited unpatched security flaws in network appliances.

2. Data Tunneling with Earthworm

Once inside, the attackers used Earthworm, a publicly available proxy tool, to establish a covert communication channel. This allowed them to:

• Bypass network monitoring
• Exfiltrate data undetected
• Maintain persistent access for future operations

Earthworm is not inherently malicious but is often used by advanced persistent threats (APTs) for stealthy data transfer.

3. Credential Dumping & Privilege Escalation

One of the attack’s primary objectives was to extract login credentials using legitimate Windows tools.

Method 1: PowerShell-Based Memory Dumping

The attackers executed base64-encoded PowerShell commands to:

1. Run “rundll32.exe”
2. Call “comsvcs.dll”
3. Extract credentials from system memory

Since rundll32.exe and comsvcs.dll are legitimate Windows processes, many security tools overlook this behavior.

Method 2: Dumping Active Directory Credentials

Volt Typhoon also used WMIC (Windows Management Instrumentation Command-line tool) to execute:

• NTDSUtil commands
• Process creation for dumping “ntds.dit” (Active Directory database)

The NTDS.dit file contains password hashes of all domain users, enabling attackers to:

• Crack passwords offline
• Move laterally within the network
• Create backdoor administrator accounts

How to Detect and Defend Against Volt Typhoon

1. Enable and Monitor Windows Event Logs

Many critical event logs are not enabled by default. Security teams should activate and monitor:

• Event ID 4688 & 4689: Process creation and termination logs (reveals unusual command-line activity)
• Event ID 4672: Logs privileged account logins (flags unauthorized access)
• Event ID 4648: Detects explicit logins with credentials (tracks manual login attempts)
• PowerShell Event Logs 400 & 403: Captures suspicious script execution

Fun Fact: The attackers themselves used Windows Event Logs (Event ID 4624) to track legitimate administrator activity before escalating privileges!

2. Network Anomaly Detection

Since Volt Typhoon relies on covert proxy tunnels, defenders should monitor for:

• Unusual outbound connections
• Unexpected network ports opening
• Traffic between unrelated internal machines

Using YARA rules, security teams can detect Earthworm activity or similar proxy tunneling behavior.

3. Threat Hunting & Incident Response

Defenders should proactively:

• Review security advisories for known vulnerabilities in networking gear
• Implement baseline network monitoring to detect changes in communication patterns
• Investigate unusual PowerShell execution (especially encoded commands)
• Use behavioral detection tools to identify misuse of Windows utilities

Conclusion

Volt Typhoon exemplifies the growing sophistication of cyber threats—leveraging legitimate system tools for stealth and persistence. Organizations must adopt a multi-layered defense strategy, combining log analysis, network monitoring, and proactive threat hunting to detect and mitigate such attacks.

By staying vigilant and monitoring for suspicious system activity, security teams can counteract Living off the Land threats and safeguard critical infrastructure from nation-state adversaries.