SCADA/ICS Hacking and Security: Chinese APT, Volt Typhoon, Has Compromised Numerous Industrial Systems in the US!

Welcome back, aspiring cyberwarriors!

In a cyberwar, SCADA and ICS industrial systems can be both a target and a weapon!

Although the ongoing tensions between the U.S. and China are often framed as a trade war, Chinese state-sponsored actors have been known to compromise and maintain persistent access to critical U.S. infrastructure—sometimes for years. In this article, I’ll explore how one of the most notorious advanced persistent threats (APT), Volt Typhoon, managed to infiltrate U.S. infrastructure.

Step #1: Extensive Pre-Compromise Reconnaissance

First, let's understand how Volt Typhoon begins their operations. Unlike less sophisticated threat actors, Volt Typhoon conducts thorough reconnaissance before attempting any exploitation. They research target organizations extensively, learning about network architecture, security measures, typical user behaviors, and key IT staff.

According to CISA, NSA, and FBI, Volt Typhoon uses tools like FOFA, Shodan, and Censys to identify exposed infrastructure. They've even been observed targeting the personal email accounts of key network and IT staff post-compromise. This intelligence gathering enhances their operational security—in some cases, they avoid using compromised credentials outside normal working hours to prevent triggering security alerts.

Step #2: Initial Access Through Vulnerable Network Appliances

Once Volt Typhoon has mapped out their target, they exploit vulnerabilities in public-facing network appliances to gain initial access. They commonly target devices from vendors including Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco (explore some of the most egregious vulnerabilities found in the most widely used VPNs of 2024 after the link).

Their initial access strategy focuses on perimeter devices for several strategic advantages:

1. VPN and Remote Access Gateways: These provide authenticated access into the internal network

2. Edge Routers and Firewalls: Compromise grants visibility into and control over traffic flows

3. Load Balancers and Web Application Firewalls: These often have elevated privileges within the network architecture

   
   

Volt Typhoon meticulously tracks vulnerability disclosures for these devices and has demonstrated the capability to weaponize new vulnerabilities within days of public disclosure.

They prioritize the following types of vulnerabilities:

• Authentication Bypass: Allows direct access without credentials

• Remote Code Execution: Enables running arbitrary commands on the target device

• Memory Corruption Flaws: Often allows for reliable exploitation with minimal logs

In one confirmed compromise, Volt Typhoon likely obtained initial access by exploiting CVE-2022-42475 in an unpatched FortiGate 300D firewall. Evidence of a buffer overflow attack was identified within the SSL-VPN crash logs. This particular vulnerability in FortiOS SSL-VPN allowed unauthenticated attackers to execute arbitrary code via specially crafted requests.

Analysis of other Volt Typhoon compromises revealed exploitation of:

• CVE-2022-27518: Remote code execution vulnerability in Citrix ADC and Gateway

• CVE-2020-5902: RCE vulnerability in F5 BIG-IP devices

• CVE-2021-34473: Microsoft Exchange Server vulnerability (ProxyShell)

• CVE-2022-26318: Vulnerability in Ivanti Connect Secure gateways

Step #3: Credential Harvesting and Privilege Escalation

After establishing a foothold, Volt Typhoon focuses on obtaining administrator credentials. They often exploit privilege escalation vulnerabilities in the operating system or network services. In some cases, they've obtained credentials that were inappropriately stored on network appliances.

For example, in the case where they exploited the FortiGate vulnerability, they compromised a domain admin account that was stored on the device. This highlights the danger of storing privileged credentials on edge devices.

Step #4: Lateral Movement

With valid administrator credentials in hand, Volt Typhoon moves laterally through the network, primarily using Remote Desktop Protocol (RDP). Their ultimate target is typically the domain controller, which gives them control over the entire Active Directory environment.

In one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon connected to the network via VPN with administrator credentials and opened an RDP session to move laterally. Over a nine-month period, they moved to a file server, a domain controller, an Oracle Management Server, and a VMware vCenter server.

Step #5: Discovery Using Living Off the Land Techniques

Volt Typhoon is particularly skilled at using "living off the land" (LOTL) techniques—using legitimate system tools and processes already present on the system rather than introducing malware. This sophisticated approach allows them to blend in with normal system operations and maintain persistent access without triggering traditional security alerts.

They use native Windows commands and utilities for discovery, including:

• cmd
• certutil
• dnscmd
• ldifde
• makecab
• net user/group/use
• netsh
• nltest

In one incident, analysis of the PowerShell console history on a domain controller revealed that Volt Typhoon extracted security event logs with the command:

Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File 'C:\users\public\documents\user.dat'

This indicates the group’s specific interest in capturing successful logon events (Event ID 4624) to analyze user authentication patterns within the network. The presence of these activities suggests a methodical approach by Volt Typhoon actors—not only in collecting sensitive log data but potentially in removing traces to cover their tracks within the compromised system.

Step #6: Full Domain Compromise Through NTDS.dit Extraction

The crown jewel for Volt Typhoon is the Active Directory database file (NTDS.dit), which contains usernames, password hashes, and group memberships for all domain accounts. By extracting this file, they can achieve full domain compromise.

The NTDS.dit file is normally locked while Active Directory is running, making direct copying impossible. Volt Typhoon overcomes this through sophisticated techniques that leverage Windows' built-in functionality. Their typical approach begins with creating a Volume Shadow Copy Service (VSS) snapshot of the drive hosting the Active Directory database. This creates a point-in-time copy of the entire volume that can be accessed while the original files remain in use. They execute this using standard Windows commands that appear legitimate to monitoring tools, often running vssadmin create shadow /for=C: from an elevated command prompt on the domain controller.

Once the shadow copy is created, Volt Typhoon uses a combination of Windows Management Instrumentation (WMI) commands to remotely execute ntdsutil, a legitimate Microsoft tool for Active Directory database management. Through ntdsutil's "ifm" (Install From Media) functionality, they create a portable copy of the directory database that includes all the account information.

Alongside the NTDS.dit file, Volt Typhoon also extracts the SYSTEM registry hive from the compromised domain controller. This registry hive contains the boot key necessary to decrypt the password hashes stored in the NTDS.dit file. Without this key, the password data would remain encrypted and unusable. The attackers typically place both files in an inconspicuous location like C:\Users\Public\Documents or within temporary folders where they can be staged before exfiltration.

The sophistication of Volt Typhoon becomes apparent in their exfiltration methods. Rather than immediately removing these files, which might trigger data loss prevention systems, they often compress them with innocuous filenames and slowly extract them over extended periods. In some cases, they've been observed breaking the files into smaller chunks to avoid detection by security systems that monitor for large outbound file transfers.

Intelligence agencies have documented Volt Typhoon's unusual persistence in extracting NTDS.dit repeatedly from the same victims. In one particularly concerning case, they methodically extracted the Active Directory database from three separate domain controllers within the same organization over a four-year period. This repeated extraction serves multiple purposes: it provides up-to-date password information as users change credentials, reveals new accounts added to the domain, and maintains persistent access even as security teams attempt remediation efforts.

Another documented incident revealed Volt Typhoon extracting the NTDS.dit file twice within a nine-month period from a critical infrastructure provider. Security researchers believe this regular re-harvesting of credentials indicates a long-term strategic interest in maintaining access rather than a typical smash-and-grab operation. This pattern aligns with intelligence assessments that Volt Typhoon's objective is persistent positioning within critical infrastructure for potential future operations.

After successfully exfiltrating these files, Volt Typhoon proceeds with offline password cracking techniques.

Step #7: Targeting Operational Technology Assets

What makes Volt Typhoon particularly concerning is their focus on gaining access to operational technology (OT) assets. These are the systems that directly control physical processes in critical infrastructure.

Volt Typhoon has been observed testing access to domain-joined OT assets using default vendor credentials. In certain instances, they've possessed the capability to access OT systems whose credentials were compromised via NTDS.dit theft.

In one confirmed compromise, Volt Typhoon's movement to a vCenter server was likely strategic for pre-positioning to OT assets. The vCenter server was adjacent to OT assets, and they were observed interacting with the PuTTY application by enumerating existing stored sessions. This potentially gave them access to PuTTY profiles for water treatment plants, water wells, an electrical substation, and other critical systems.

Step #8: Collection of OT Documentation and Persistent Access

The U.S. authoring agencies assess that Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts. In one confirmed compromise, they collected sensitive information from a file server in multiple zipped files and likely exfiltrated them via SMB.

The collected information included diagrams and documentation related to OT equipment, including SCADA systems, relays, and switchgear. This data is crucial for understanding and potentially impacting critical infrastructure systems.

After successfully gaining access to legitimate accounts, Volt Typhoon exhibits minimal activity within the compromised environment, suggesting their objective is to maintain persistence rather than immediate exploitation. This is supported by observed patterns where they methodically re-target the same organizations over extended periods, often spanning several years.

Step #9: Command and Control Infrastructure

For command and control, Volt Typhoon leverages compromised small office/home office (SOHO) routers and virtual private servers (VPS) to proxy their traffic. They've been observed using Cisco and NETGEAR end-of-life SOHO routers implanted with KV Botnet malware.

They've also set up Fast Reverse Proxy (FRP) clients on victims' corporate infrastructure to establish covert communications channels. In one instance, Volt Typhoon implanted an FRP client with filename SMSvcService.exe on a Shortel Enterprise Contact Center server and a second FRP client with filename Brightmetricagent.exe on another server.

These clients, when executed via PowerShell, open reverse proxies between the compromised system and Volt Typhoon's C2 servers. The FRP client can locate servers behind network firewalls or obscured through Network Address Translation (NAT).

Conclusion

Volt Typhoon represents a significant threat to U.S. critical infrastructure. Their sophisticated tactics, techniques, and procedures—combined with their focus on pre-positioning for potential disruptive attacks—make them a particularly dangerous adversary.

The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of geopolitical tensions or military conflicts.

To learn more about securing SCADA/ICS environments against threats like Volt Typhoon, check out our training.