A large-scale persistent attack (APT) carried out by the Chinese hacker group Volt Typhoon has just been reported by the US government in conjunction with several private cybersecurity entities. It has targeted critical US infrastructures and appears to have been infiltrated since 2021.


Volt Typhoon: the context of the attack

On May 24, 2023, the NSA published an analysis of a Chinese APT targeting critical US infrastructure in the communications, transportation, construction, marine and education sectors. An attack attributed to the Volt Typhoon group. This is not the first time this group has been involved, as it is also known as Bronze Silhouette, by SecureWork.

This document describes an attack whose main objective is to spy on and exfiltrate data by the most discreet means possible.

The information-gathering process makes extensive use of LOLBin, with the aim of bypassing the execution restrictions potentially in effect on workstations and minimizing the triggering of security alerts.

To exfiltrate data to its C&C, the group used relays created following the prior compromise of SoHo (Small Office / Home Office) equipment, notably routers, firewalls or VPNs of various brands and ranges (ASUS, Cisco RV, Draytek Vigor, D-Link, FatPipe IPVPN / MPVPN / WARP, Netgear Prosafe, or Zyxel USG). This principle enables communications to be masked as far as possible.


Initial vector of the Volt Typhoon attack

The initial access to this attack was carried out on Fortinet Fortigate devices, which then enabled the malicious actors to collect authentication data from the AD to which they were attached. They then attempted to use this login information on other network devices.

No information is given concerning the vulnerabilities exploited on Fortigate devices or on the network devices used as communication relays to the control server.


Technical details of the Volt Typhoon attack

Once network access had been obtained, the Volt Typhoon / Bronze Silhouette malicious actor then heavily exploited the famous LOLBins to circumvent workstation execution restriction policies and maximize stealth.

In particular, the following binaries/commands are used (non-exhaustive list):

  • wmic process call create [...]
  • netsh interface portproxy [...]
  • netsh interface firewall [...]
  • net group [...]
  • net localgroup [...]
  • dnscmd /enumrecords
  • ipconfig
  • Get-EventLog security -instanceid 4624
  • reg query
  • reg save
  • certutil
  • makecab
  • etc.


Volt Typhoon cyberattack and Stormshield protections

Stormshield Network Security

The following IPS signature detects the exploitation of the ManageEngine vulnerability CVE-2021-40539 used by the Volt Typhoon / Bronze Silhouette malicious actor :

  • http:79 -> Directory self-reference against the vulnerability CVE-2021-40539

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

Another signature is used to block a recognition attempt by the group. SSL decryption is required beforehand.

  • http:client:header:useragent.110 -> Threat actor recon activity

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

The IPs used by the control servers of Bronze Silhouette, which is most likely Volt Typhoon, have been added to the reputation engine in the "malware" category.

Finally, samples of the binaries involved in the attack are detected by the Breach Fighter detonation solution.


Stormshield Endpoint Security Evolution

The following rulesets of the default policy in version 2304a or 2211b are already capable of detecting many of the process executions employed during the attack by the malicious actor:

  • Stormshield - Protection baseline
  • Stormshield - Data leak prevention
  • Stormshield - Protection against malicious usage of LOLBIN
  • Stormshield – Block-list of known dangerous applications
  • Stormshield - Advanced protections

It is therefore important to confirm that these rulesets are active and in their most recent version in the policies applied on the endpoint agents.

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

A YARA analysis unit named "APT - Volt Typhoon" is also now available on the SES update server to search for traces of the attack.

Confidence index of the protection offered by Stormshield

Confidence index of no false positives



It is strongly recommended to monitor the execution of the commands used in the attack, and to limit the use of port proxies as much as possible.


Volt Typhoon attack & IOC

Volt Typhoon IOCs: find here some data around the attack.


SHA256 : f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

SHA256 : ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31

SHA256 : d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca

SHA256 : 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d

SHA256 : 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7

SHA256 : 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

SHA256 : 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597

SHA256 : c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99

SHA256 : 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f

SHA256 : fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15

SHA256 : ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

IPs : Volt Typhoon / Bronze Silhouette C&C : Volt Typhoon / Bronze Silhouette C&C : Volt Typhoon / Bronze Silhouette C&C

User agent

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0)               Gecko/20100101 Firefox/68.0

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Need more information about Stormshield protection? The Technical Support teams are at your disposal to help you. Contact them through the incident manager located in the MyStormshield private area. To access it, select the menu "Technical Support / Report an incident / Track an incident".
Stormshield's Threat Intelligence team has two primary missions: to study cyber threats to understand them and to continuously improve Stormshield product protections. All with the goal of contributing to the cybersecurity community's effort to address cyber threats.
About the author
Edouard Simpere Cyber Threat Intelligence Team Leader, Stormshield

With a strong appetite for dark humor, starred chefs' pastries and the Windows environment, Edouard is a cybersecurity buff, a real one. A living standard of internal mobility at Stormshield, he made his first, second and third steps around the Stormshield Endpoint Security Evolution product, as a developer, architect and technical leader. He then became head of the company's Threat Intelligence team, in charge of researching and maintaining the level of protection of all the company's products.