Storm Chasing: Defend Against Volt Typhoon with SCYTHE

Understanding and predicting an adversary's moves is critical to defense strategies in the cybersecurity landscape. Amid this backdrop, two entities stand out for their forward-thinking and innovative approaches: Volt Typhoon and SCYTHE.

"CISA, the National Security Agency, and the FBI said Volt Typhoon has had access throughout US infrastructure for the past five years. The FBI Director described Volt Typhoon as 'the defining threat of our generation.' And it will inspire others to take what's worked and the original threat to continue to evolve their tradecraft, highlighting again why it's so important to drive your organization with realistic threat emulation (like our release) that will catch these future threats." 

-Bryson Bort, Founder & CEO, SCYTHE

Volt Typhoon: Targeting Critical Infrastructure

The PRC-affiliated threat actor Volt Typhoon (A.K.A: Voltzite, Vanguard Panda) is well known for their use of living off the land (LOTL, which includes LOLBAS/LOLBIN – see our repository for several years of emulation examples) techniques to establish persistent and stealthy footholds. SCYTHE CEO Bryson Bort has repeatedly referenced these publicly in his talks as "levers for future action." Volt Typhoon continues to target and pose a serious threat to U.S. critical infrastructure using known and emerging vulnerabilities within external facing appliances, credential harvesting, and further network reconnaissance and pivoting, to position themselves within our critical infrastructure. 

Unlike conventional cyber espionage tactics, Volt Typhoon's approach focuses on gaining the access needed to disrupt or potentially destroy critical infrastructure, indicating a strategic intent aligned with potential geopolitical tensions or military conflicts. This group is also known to practice strong operational security allowing them to dwell in networks undetected for longer periods of time. 

To showcase Volt Typhoon’s behaviors as discussed in CISA’s recent advisory bulletin along with historic reporting from Microsoft and CrowdStrike, we at SCYTHE have created a new Threat Campaign to test your defensive mettle against. This campaign dives into common behaviors observed from Volt Typhoon to include:

• Host enumeration
• Valid user enumeration in an unconventional manner
• Credential Harvesting
• IP data exfiltration
• Persistence
• Lateral Movement utilizing harvested credentials

Of note, we emulated the threat actor's novel method of local and domain user enumeration via “Security Log” querying for valid user logins to determine what accounts are active and what users can be found on the hosts where they have access.

SCYTHE: Mastering the Art of Cyber Adversary Simulation

Where Volt Typhoon innovates in cyber resilience, SCYTHE focuses on the cutting-edge practice of cyber adversary simulation. SCYTHE's platform is a groundbreaking tool that allows organizations to simulate real-world cyberattacks on their networks. This attack emulation methodology is pivotal in helping businesses understand their vulnerabilities and strengthen their defenses against potential threats.