Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

Volt Typhoon

Avatar photoByDetecteam 2023-10-052023-10-05

TLP

TLP CLEAR

Author

Jordi M. Lobo

Summary

Microsoft has uncovered a stealthy and targeted malicious campaign led by Volt Typhoon, a state-sponsored actor from China, with a focus on post-compromise credential access and network system discovery. Their primary targets are critical infrastructure organizations in the United States, including sectors such as communications, manufacturing, utility, transportation, construction, government, and more. The threat actor’s goal is to perform espionage, maintaining undetected access, and potentially disrupt critical communications infrastructure between the United States and Asia during future crises. This campaign relies heavily on living-off-the-land techniques, stolen credentials, and custom tools to avoid detection. Microsoft is raising awareness and sharing mitigation steps to protect organizations from these stealthy attacks, emphasizing the need to close or change compromised accounts.

TIMELINE

DATA

We are providing data for attacks weekly hoping to contribute raising awareness to threats from their data.

windows_sysmon.xml_Download

CATEGORY

Malware

references

  • https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
  • https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
  • https://www.microsoft.com/en-us/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/

MITRE ATT&CK

Post Tags: #T1003 - OS Credential Dumping#T1003.003 - NTDS#T1016 - System Network Configuration Discovery#T1033 - System Owner/User Discovery#T1047 - T1047#T1059.001 - Command and Scripting Interpreter: PowerShell#T1059.003 - Windows Command Shell#T1069.001 - Local Groups#T1069.002 - Domain Groups#T1070 - Indicator Removal#T1070.001 - Clear Windows Event Logs#T1082 - System Information Discovery#T1090 - Proxy#T1090.002 - External Proxy#T1110 - Brute Force#T1110.003 - Password Spraying#T1190 - Exploit Public-Facing Application#T1505.003 - Server Software Component: Web Shell#T1555 - Credentials from Password Stores
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search