Full Report
U.S. intelligence say the Volt, Flax, Salt and Silk Typhoon are among the groups laying the groundwork for future conflict with the United States. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Threat Actor: Volt Typhoon
## Attribution & Identity
- **Attribution:** China-backed government hackers.
- **Aliases/Associations:** Described as part of the "Typhoon" family of Chinese hacking groups.
## Activity Summary
- Identified by Microsoft in May 2023, reportedly operating since at least mid-2021, potentially for as long as five years.
- Engaged in concerted efforts to infiltrate deep into U.S. critical infrastructure networks.
- Focused on positioning for potentially destructive cyberattacks aimed at disrupting U.S. military mobilization capabilities in the event of a conflict (e.g., over Taiwan).
- Compromised thousands of internet-connected devices, including routers, firewalls, and VPNs, often exploiting end-of-life vulnerabilities.
- In January 2024, the U.S. government disrupted a botnet used by Volt Typhoon, consisting of hijacked U.S.-based SOHO routers, via a court-sanctioned operation.
- By January 2025, over 100 intrusions linked to the group were discovered across the U.S. and its territories.
## Tactics, Techniques & Procedures
- **Exploitation:** Exploiting vulnerabilities in end-of-life network equipment (routers, firewalls, VPNs).
- **Persistence/Evasion:** Utilizing a botnet composed of hijacked small office/home network (SOHO) routers to mask malicious activity.
- **Technique Note:** Employing "living-off-the-land" techniques (Microsoft reference).
## Targeting
- **Sectors:** Critical infrastructure, specifically aviation, water, energy, and transportation providers. U.S. military mobilization capabilities are a key focus.
- **Geography:** United States networks and territories, with a significant number of discoveries reported in Guam.
- **Victims:** Critical infrastructure entities across the listed sectors.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named beyond utilizing a disruptive botnet infrastructure.
- **Infrastructure (C2, domains, IPs):** Operated a botnet comprised of hijacked U.S.-based SOHO routers to hide malicious activity.
## Implications
This actor represents a shift in Chinese cyber operations from mere intelligence collection to **pre-positioning for disruptive, kinetic-support cyberwarfare**. Their deep penetration of essential critical infrastructure poses an "epoch-defining threat" capable of causing "real-world harm" and severely impeding U.S. military response capabilities during a potential conflict.
## Mitigations
- Patching and securing network perimeter devices (routers, firewalls, VPNs), paying special attention to end-of-life hardware that no longer receives updates.
- Monitoring and securing SOHO/remote office network equipment that connects to the enterprise environment.
- Deploying network segmentation and zero-trust architecture to limit lateral movement once perimeter defenses are breached.
***
# Threat Actor: Flax Typhoon
## Attribution & Identity
- **Attribution:** Chinese government hacking group.
- **Aliases/Associations:** Mentioned alongside the "Typhoon" family of groups.
## Activity Summary
- Federal authorities took control of a botnet run by the group in September 2024.
- Allegedly used a Beijing-based cybersecurity company to help conceal their activities.
- The associated cybersecurity company was sanctioned by the U.S. government in December 2024 for involvement in intrusion incidents.
## Tactics, Techniques & Procedures
- Utilize third-party, seemingly legitimate cybersecurity companies to cloak their command and control infrastructure and activities.
## Targeting
- **Sectors:** U.S. critical infrastructure (implied, given general context).
- **Geography:** United States.
- **Victims:** Not specified beyond the general targeting of critical infrastructure.
## Tools & Infrastructure
- **Malware families used:** A botnet structure was utilized, which was later seized by U.S. authorities.
- **Infrastructure (C2, domains, IPs):** Leveraged a Beijing-based cybersecurity company for concealment.
## Implications
The use of a legitimate-appearing intermediary (a cybersecurity firm) demonstrates an advanced technique for blending in and establishing reliable infrastructure for long-term operations against high-value targets.
## Mitigations
- Scrutiny of third-party vendors, especially cybersecurity service providers, for dual-use capabilities or potential adversarial compromise.
- Enhanced network telemetry to detect external command flows originating from or routed through ostensibly legitimate third-party maintenance channels.
***
# Threat Actor: Salt Typhoon
## Attribution & Identity
- **Attribution:** New China-backed hacking group.
- **Aliases/Associations:** None explicitly stated beyond being a new China-backed entity.
## Activity Summary
- Recently appeared in the networks of U.S. phone and internet giants.
- The group is capable of gathering intelligence by compromising telecom systems.
- **Note:** The article mentions that later reporting indicated a major U.S. telecom provider confirmed its network was clear of Salt Typhoon by an unstated time after the period covered.
## Tactics, Techniques & Procedures
- Compromise of telecommunications infrastructure.
- Intelligence gathering capabilities focused specifically on intercepting communications.
## Targeting
- **Sectors:** Telecommunications providers (phone and internet giants).
- **Geography:** United States.
- **Victims:** Telecom systems used for law enforcement wiretaps (implying an interest in surveillance and counter-intelligence targets).
## Tools & Infrastructure
- **Malware families used:** Not specified.
- **Infrastructure (C2, domains, IPs):** Operated within U.S. telecom systems.
## Implications
This actor focuses on undermining U.S. law enforcement and intelligence collection capabilities by targeting the backbone of U.S. communications infrastructure used for surveillance.
## Mitigations
- Enhanced security specifically for lawful intercept infrastructure and service provider core networks facilitating government monitoring.
***
# Threat Actor: Silk Typhoon (Previously Hafnium)
## Attribution & Identity
- **Attribution:** China-backed hacking group.
- **Aliases/Associations:** Previously known as **Hafnium** (active since at least 2021).
## Activity Summary
- Reappeared in December 2024 with a campaign targeting the U.S. Treasury.
- The December 2024 hack involved stealing internal documents from the Treasury’s unclassified network.
- Compromised the Treasury’s sanctions office and the Committee on Foreign Investment in the United States (CFIUS).
- In 2021 (as Hafnium), the group famously exploited vulnerabilities in self-hosted Microsoft Exchange email servers, compromising over 60,000 organizations globally.
## Tactics, Techniques & Procedures
- **Initial Access:** Utilized a stolen key from BeyondTrust (an identity access tech provider) to gain remote access to employee workstations.
- **Objective:** Primarily focused on reconnaissance and data theft (vs. destructive attacks).
- **Activity Type:** Focuses on espionage and information gathering against government entities and related civilian organizations.
## Targeting
- **Sectors:** U.S. Government (Treasury Department, including the sanctions office and CFIUS), healthcare organizations, law firms, and non-governmental organizations.
- **Geography:** United States, Australia, Japan, and Vietnam.
- **Victims:** U.S. Treasury Department (specific internal documents stolen).
## Tools & Infrastructure
- **Malware families used:** Not specified regarding the 2024 campaign, but historically known for exploiting Exchange server zero-days.
- **Infrastructure (C2, domains, IPs):** Leveraged legitimate credentials (a stolen BeyondTrust key) for access.
## Implications
Silk Typhoon remains a highly capable espionage group focused on high-value financial and regulatory data, capable of sustaining access through leveraging stolen enterprise credentials to bypass perimeter defenses.
## Mitigations
- Rigorous management and auditing of privileged access management (PAM) tools and software keys (e.g., BeyondTrust) to prevent credential compromise.
- Rapid patching of widely used enterprise software (like Exchange servers, based on historical activity).
- Enhanced monitoring of access into sensitive regulatory and financial services systems.