Volt Typhoon
Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: January 16, 2025)
Aliases:
- Volt Typhoon (Microsoft, Sophos)
- Vanguard Panda (CrowdStrike)
- Bronze Silhouette (Secureworks)
- DEV-0391 (Microsoft)
- UNC3236 (Mandiant)
- UNC5291 (Note: moderate confidence by Mandiant)
- Voltzite (Dragos)
- Insidious Taurus (Unit 42)
Vulnerabilities Exploited
- CVE-2024-39717 (CVSSv3.1: 6.6 medium, in CISA's KEV Catalog) Versa Director Dangerous File Type Upload Vulnerability Source: Lumen
- CVE-2022-42475 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability Source: CISA
- Source: Versa Networks
- CVE-2023-27997 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability
- CVE-2024-21762 (CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Fortinet FortiOS Out-of-Bound Write Vulnerability
- CVE-2023-46805 (CVSSv3.1: 8.2 high, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
- CVE-2024-21887 (CVSSv3.1: 9.1 critical, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2025
- January 16, 2025 β Censys: Will the Real Volt Typhoon Please Stand Up?
- January 05, 2025 β Wall Street Journal: How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons
2024
- November 19, 2024 β Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
- November 12, 2024 β Security Scorecard: The Botnet is Back: SSC STRIKE Team Uncovers a Renewed Cyber Threat
- November 05, 2024 β Bloomberg: Chinese Group Accused of Hacking Singtel in Telecom Attacks (news article, archive link)
- October 31, 2024 β Sophos: Pacific Rim: Inside the Counter-OffensiveβThe TTPs Used to Neutralize China-Based Threats
- August 27, 2024 β Lumen: Taking the Crossroads: The Versa Director Zero-Day Exploitation
- June 12, 2024 β Natto Thoughts: Who is Volt Typhoon? A State-sponsored Actor? Or Dark Power?
- April 04, 2024 β Mandiant: Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
- March 20, 2024 β ASD ACSC: PRC State-Sponsored Cyber Activity
- February 14?, 2024 β Dragos: VOLTZITE Espionage Operations Targeting U.S. Critical Systems and (7 page PDF)
- February 14, 2024 β Unit 42: Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
- February 07, 2024 β Lumen: KV-Botnet: Donβt call it a Comeback
- February 07, 2024 β CISA:
- January 31, 2024 β U.S. Department of Justice: U.S. Government Disrupts Botnet Peopleβs Republic of China Used to Conceal Hacking of Critical Infrastructure
- January 31, 2024 β CISA: Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers and (2 page PDF)
- January 11, 2024 β Security Scorecard: Threat Intelligence Research: Volt Typhoon Compromises 30% of Cisco RV320/325 Devices in 37 Days
2023
- December 13, 2023 β Lumen: Routers Roasting on an Open Firewall: the KV-botnet Investigation
- June 23, 2023 β CrowdStrike: Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft
- May 24, 2023 β Microsoft: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
- May 24, 2023 β CISA: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
- May 24, 2023 β Secureworks: Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat