Other
CISA Advisory AA24-038A / Microsoft Security Blog
Primary Source βIncident Details
Chinese state-sponsored group Volt Typhoon (Bronze Silhouette) active since mid-2021, targeting US critical infrastructure sectors: communications, energy, transportation, water/wastewater. Uses ’living off the land’ (LOTL) techniques with built-in Windows tools (wmic, ntdsutil, netsh, PowerShell) to evade detection. Pre-positioned in IT networks for potential disruptive/destructive attacks in event of US-China conflict. CISA/NSA/FBI joint advisory Feb 7 2024. Active in Guam and continental US. Targets include telecoms, utilities, ports.
Technical Details
- Initial Attack Vector
- CWE-77: Command Injection / exploitation of internet-facing SOHO routers and VPN devices to establish footholds
- Vendor / Product
- Cisco routers / Fortinet VPN / various SOHO network devices
- CVE / GHSA References
- CVE-2021-40539 CVE-2021-27860
Timeline
- 2021-06-01 Breach occurred
- 2024-02-07 Publicly disclosed
- unknown Customers notified