typhoon

Threat Hunting Guide for Typhoon Threat Actors: A Comprehensive Handbook for Operations Teams

Typhoon actors employ "living-off-the-land" (LOTL) techniques, leveraging legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) for malicious purposes.

Wes

Wes

11 min read
Threat Hunting Guide for Typhoon Threat Actors: A Comprehensive Handbook for Operations Teams
keep yo hands off my turkey!

TL;DR

  1. Sophisticated TTPs: Typhoon threat actors use advanced TTPs, including Google Sheets for C2 and Cloudflare Tunnels for malware staging, making detection challenging.
  2. Targeted Sectors: The group primarily targets aerospace, chemicals, insurance, and manufacturing sectors, focusing on intelligence gathering.
  3. Spear-Phishing Campaigns: Their campaigns often involve spear-phishing emails impersonating government agencies to deliver custom malware.
  4. Custom Malware: The Voldemort backdoor, used by Typhoon actors, is capable of information gathering and loading additional payloads.
  5. Evolving Techniques: The group's TTPs continue to evolve, incorporating both common and novel methods to evade detection.
  6. Use of Legitimate Services: Typhoon actors leverage legitimate services like Google Sheets and Cloudflare Tunnels for malicious purposes.
  7. Global Targeting: Their campaigns have targeted organizations worldwide, with a particular focus on the US and Taiwan.
  8. Living off the land: Typhoon actors employ "living-off-the-land" (LOTL) techniques, leveraging legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) for malicious purposes.
  9. Encrypted Comms: Typhoon actors frequently rely on encrypted communications and inconspicuous outbound connections to maintain persistence and avoid detection.
  10. EDR: EDR solutions provide comprehensive visibility into endpoint activities, enabling organizations to detect, investigate, and respond to suspicious behaviors
  11. Credential theft: is a cornerstone of Typhoon’s strategy, enabling lateral movement and persistent access within networks.
  12. Audits: Routine audits identify vulnerabilities, misconfigurations, and outdated practices, helping organizations stay ahead of threat actors.
  13. Your Users: Users remain a critical line of defense against phishing, social engineering, and other common attack vectors.

Research Summary

The "Typhoon" threat actors, also known as TA415, APT41, and Brass Typhoon, are a sophisticated China-aligned group primarily engaged in cyber espionage. Their campaigns have targeted various sectors, including aerospace, chemicals, insurance, and manufacturing, with a particular focus on intelligence gathering. The group's tactics, techniques, and procedures (TTPs) are highly advanced, incorporating both common and novel methods for command and control (C2), such as the use of Google Sheets and Cloudflare Tunnels. This report provides a comprehensive threat hunting guide focused on "Typhoon" threat actors, detailing their TTPs, and offering recommended strategies for detection and mitigation.

Advanced TTPs and Campaigns

Typhoon threat actors have been active for several years, with their activities becoming more prominent and sophisticated over time. Their campaigns often involve spear-phishing emails that impersonate government agencies and other trusted entities to deliver custom malware, such as the Voldemort backdoor. This malware is capable of information gathering and can load additional payloads, making it a versatile tool for espionage. The group's use of Google Sheets for C2 and Cloudflare Tunnels for malware staging highlights their ability to leverage legitimate services for malicious purposes, complicating detection and mitigation efforts.

Detection and Mitigation Strategies

Detection and mitigation strategies for Typhoon threat actors should focus on monitoring and blocking suspicious network activity, particularly involving external file-sharing services and unusual C2 channels. Implementing robust email security measures to detect and block spear-phishing attempts is also crucial. Additionally, organizations should regularly update their security policies and conduct employee training to raise awareness about the latest phishing tactics and techniques used by these threat actors.

Evolving Threat Landscape

The latest intelligence on Typhoon threat actors indicates that they continue to evolve their TTPs, making it essential for cybersecurity professionals to stay informed about their activities. This report includes actionable insights and recommendations to help organizations detect and mitigate threats from Typhoon actors effectively. By understanding their TTPs and implementing the recommended strategies, organizations can enhance their security posture and reduce the risk of successful attacks.

Attribution

Historical Context

Typhoon threat actors, also known as TA415, APT41, and Brass Typhoon, are a China-aligned group engaged in cyber espionage. Their activities have been observed for several years, with a focus on intelligence gathering and targeting critical sectors.

Timeline

  • 2012: Initial activities observed.
  • 2020: Additional activities observed, primarily targeting aerospace and manufacturing sectors.
  • 2022: Increased sophistication in TTPs, including the use of Google Sheets for C2.
  • 2024: Recent campaigns involving the Voldemort backdoor and Cloudflare Tunnels for malware staging.

Origin

Typhoon threat actors are attributed to China, with a focus on cyber espionage activities aligned with Chinese state interests.

Countries Targeted

  1. United States: Frequent target, particularly in aerospace and manufacturing sectors.
  2. Taiwan: Targeted for its strategic importance in technology and manufacturing.
  3. Germany: Targeted for its advanced industrial sector.
  4. Japan: Targeted for its technological advancements.
  5. India: Targeted for its growing technological and industrial capabilities.

Sectors Targeted

  1. Aerospace: High-value target for intelligence gathering.
  2. Chemicals: Targeted for industrial espionage.
  3. Insurance: Targeted for sensitive data.
  4. Manufacturing: Targeted for industrial secrets.
  5. Transportation: Targeted for logistical information.

Motivation

The primary motivation of Typhoon threat actors is intelligence gathering to support Chinese state interests. Their activities are aligned with espionage rather than financial gain.

Attack Types

  • Spear-Phishing: Used to deliver custom malware.
  • Malware Deployment: Custom backdoors like Voldemort for information gathering.
  • C2 Channels: Use of Google Sheets and Cloudflare Tunnels for command and control.

Known Aliases

  1. TA415
  2. APT41
  3. Brass Typhoon

Similar Threat Actor Groups

  1. APT10

    • Origin and Attribution: China-aligned, focused on cyber espionage.
    • Relationship: Similar TTPs and targeting sectors.

  2. APT31

    • Origin and Attribution: China-aligned, focused on cyber espionage.
    • Relationship: Overlapping targets and techniques.

  3. APT10

    • Reasons for similarity: Similar focus on cyber espionage and use of advanced TTPs.
    • Origin and Attribution: China-aligned, targeting similar sectors.

  4. APT31

    • Reasons for similarity: Overlapping targets and techniques.
    • Origin and Attribution: China-aligned, focused on cyber espionage.

Forecast

Short-Term Forecast (3-6 months)

  1. Increased Use of Legitimate Services for C2 and Malware Staging

    • Typhoon threat actors will continue to leverage legitimate services like Google Sheets and Cloudflare Tunnels for command and control (C2) and malware staging. This trend complicates detection and mitigation efforts as these services are commonly used in legitimate business operations.
    • Detailed analysis: The use of Google Sheets and Cloudflare Tunnels by Typhoon actors has been observed in recent campaigns, making it difficult for traditional security measures to detect malicious activity. This tactic is likely to persist as it provides a stealthy and effective means of communication and data exfiltration.
    • Examples and references: Proofpoint Blog, AttackIQ Response

  2. Targeted Spear-Phishing Campaigns

    • Typhoon threat actors will intensify their spear-phishing campaigns, particularly targeting sectors such as aerospace, chemicals, insurance, and manufacturing. These campaigns will likely involve impersonation of government agencies and other trusted entities to deliver custom malware.
    • Detailed analysis: Spear-phishing remains a highly effective initial attack vector for Typhoon actors. By impersonating trusted entities, they can bypass initial security defenses and deliver malware like the Voldemort backdoor, which is capable of information gathering and loading additional payloads.
    • Examples and references: Proofpoint Blog, QuoIntelligence Report

Long-Term Forecast (12-24 months)

  1. Evolution of TTPs to Evade Detection

    • Typhoon threat actors will continue to evolve their tactics, techniques, and procedures (TTPs) to evade detection. This evolution will likely include the adoption of new and less common methods for C2 and malware deployment.
    • Detailed analysis: As cybersecurity defenses improve, Typhoon actors will adapt by developing and employing more sophisticated TTPs. This may involve the use of novel C2 channels, advanced obfuscation techniques, and the exploitation of emerging technologies.
    • Examples and references: ENISA Threat Landscape 2024

  2. Increased Targeting of Critical Infrastructure

    • Typhoon threat actors will likely expand their targeting to include critical infrastructure sectors such as energy and transportation. This shift will be driven by the strategic importance of these sectors and the potential for significant disruption.
    • Detailed analysis: The focus on critical infrastructure aligns with the strategic objectives of state-sponsored cyber espionage groups. By targeting these sectors, Typhoon actors can gather valuable intelligence and potentially disrupt operations, thereby advancing their geopolitical goals.
    • Examples and references: AttackIQ Response, Security Affairs

Further Research

Breaches and Case Studies

  1. Voldemort Campaign - August 2024

    • Proofpoint Blog
    • Description: Campaign delivering the Voldemort backdoor, targeting aerospace and manufacturing sectors.
    • Actionable Takeaways: Monitor for Google Sheets and Cloudflare Tunnel activity, implement robust email security measures.

  2. Cloudflare Tunnel Exploitation - May 2023

    • AttackIQ Response
    • Description: Use of Cloudflare Tunnels for malware staging.
    • Actionable Takeaways: Block network connections to TryCloudflare, monitor for unusual C2 channels.

Followup Research Questions

  1. What new TTPs have Typhoon threat actors adopted in the past six months?
  2. How effective are current detection and mitigation strategies against Typhoon threat actors?
  3. What are the latest developments in the use of legitimate services for malicious purposes by Typhoon actors?
  4. How can organizations enhance their email security to better detect and block spear-phishing attempts?

Recommendations, Actions and Next Steps

  1. Implement Robust Email Security Measures

    • Deploy advanced email filtering solutions to detect and block spear-phishing attempts.
    • Conduct regular employee training on recognizing phishing emails.
    • Use multi-factor authentication (MFA) to protect email accounts.

  2. Monitor and Block Suspicious Network Activity

    • Implement network monitoring tools to detect unusual C2 channels, such as Google Sheets and Cloudflare Tunnels.
    • Block access to external file-sharing services unless explicitly required for business purposes.
    • Set up alerts for the use of search-ms URIs and suspicious follow-on activity.

  3. Regularly Update Security Policies

    • Review and update security policies to address the latest TTPs used by Typhoon threat actors.
    • Ensure that security policies include guidelines for the use of legitimate services that could be exploited for malicious purposes.

  4. Conduct Threat Hunting Exercises

    • Perform regular threat hunting exercises to identify potential indicators of compromise (IOCs) related to Typhoon threat actors.
    • Use the latest threat intelligence to inform threat hunting activities and focus on high-risk areas.

  5. Collaborate with Industry Partners

    • Share threat intelligence and collaborate with industry partners to stay informed about the latest activities of Typhoon threat actors.
    • Participate in information-sharing initiatives to enhance collective defense against sophisticated threat actors.

Threat Hunting Guide

Monitor for Anomalous Use of Legitimate Tools

Typhoon actors employ "living-off-the-land" (LOTL) techniques, leveraging legitimate system tools like PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) for malicious purposes. By blending in with normal operations, these activities evade traditional detection methods.

Operational Guidance:

  • Baseline Establishment:

    • Document routine use of tools like PowerShell and WMI across your environment.
    • Identify common administrative command-line arguments and execution patterns to detect anomalies.

  • Behavioral Monitoring:

    • Use tools like Sysmon to capture detailed execution logs and alert on suspicious behavior (e.g., PowerShell scripts connecting to external IPs).
    • Track unusual processes, like unexpected child processes spawned by system tools.

  • Detection Mechanisms:

    • Implement endpoint monitoring solutions to flag abnormal activities, such as PowerShell initiating outbound connections or WMI accessing sensitive directories.

Real-Life Example:
Volt Typhoon was observed using LOTL techniques to target U.S. critical infrastructure by blending malicious activities with normal system behavior. This allowed them to bypass traditional security controls undetected.

Analogous Threat Actors:
APT29 (Cozy Bear), during the SolarWinds attack, used similar methods, exploiting legitimate administrative tools to move laterally within victim networks.

Recognize Indicators of Compromise (IOCs)

Identifying Indicators of Compromise (IOCs) is crucial for detecting and mitigating threats from actors like Typhoon. IOCs encompass both behavioral patterns and tangible artifacts that signal potential security breaches.

Behavioral Indicators:

  • Unusual Use of System Tools:

    • Execution of native utilities such as netsh, wmic, and PowerShell with atypical parameters or in unexpected contexts.
    • Creation of volume shadow copies using commands like vssadmin create shadow /for=C: to access sensitive files.

  • Credential Access Attempts:

    • Extraction of the Active Directory database file (NTDS.dit) and the SYSTEM registry hive, indicating attempts to obtain hashed passwords for offline cracking.

  • Lateral Movement:

    • Use of Remote Desktop Protocol (RDP) sessions initiated from unexpected sources or accounts.
    • Deployment of Fast Reverse Proxy (FRP) clients to establish covert communication channels.

Hard Artifacts:

  • Malicious Executables:

    • Presence of custom Fast Reverse Proxy (FRP) executables with specific SHA-256 hashes, such as baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c.

  • Modified System Files:

    • Alterations in system binaries or configuration files, including unauthorized changes to netsh configurations for port forwarding.

  • Suspicious Log Entries:

    • Selective clearing of Windows Event Logs, particularly security logs, to obscure malicious activities.
    • Creation of log files like rult3uil.log in system directories, containing records of user activities.

Analyze Network Traffic

Monitoring network traffic is critical for identifying stealthy activities. Typhoon actors frequently rely on encrypted communications and inconspicuous outbound connections to maintain persistence and avoid detection.

Operational Guidance:

  • Network Traffic Analysis Tools:

    • Deploy tools like Zeek, Suricata, and Wireshark for traffic monitoring.
    • Integrate findings into Security Information and Event Management (SIEM) systems for anomaly correlation.

  • Decryption Capabilities:

    • Enable TLS/SSL inspection where feasible to analyze encrypted traffic.
    • Focus on high-risk traffic patterns, such as outbound connections to uncommon IP addresses or domains.

  • Command-and-Control (C2) Detection:

    • Watch for beaconing patterns, where systems regularly "call home" to external servers.
    • Maintain and update blacklists of known malicious domains and IPs.

Real-Life Example:
During the SolarWinds attack, encrypted C2 communications enabled attackers to exfiltrate data stealthily. Only through traffic anomaly analysis were some victims able to identify unusual patterns.

Analogous Threat Actors:
The Lazarus Group has similarly relied on encrypted channels to exfiltrate stolen funds from financial institutions, underscoring the importance of robust network monitoring.

Implement Endpoint Detection and Response (EDR)

EDR solutions provide comprehensive visibility into endpoint activities, enabling organizations to detect, investigate, and respond to suspicious behaviors.

Operational Guidance:

  • EDR Selection:

    • Choose platforms like CrowdStrike, SentinelOne, or Carbon Black, which excel in detecting LOTL techniques.

  • Configuration and Tuning:

    • Regularly update EDR detection rules with Typhoon-specific Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs).

  • Use Case Examples:

    • Detect privilege escalation by monitoring processes like cmd.exe being launched with administrative arguments.
    • Track lateral movement by flagging unusual RDP sessions or abnormal file-sharing activities.

Real-Life Example:
Organizations equipped with EDR during the 2017 NotPetya ransomware outbreak were able to quickly isolate affected endpoints and prevent further spread.

Analogous Threat Actors:
FIN7 has demonstrated the importance of EDR by exploiting unmonitored endpoints to deploy malware and steal sensitive data.

Strengthen Credential Management

Credential theft is a cornerstone of Typhoon’s strategy, enabling lateral movement and persistent access within networks.

Operational Guidance:

  • Multi-Factor Authentication (MFA):

    • Enforce MFA on all remote access points, especially for privileged accounts.
    • Use methods such as time-based one-time passwords (TOTP) for additional security.

  • Credential Rotation:

    • Implement automatic password rotation policies for service and administrative accounts.
    • Use centralized credential management tools like HashiCorp Vault.

  • Regular Account Audits:

    • Review and deactivate unused accounts.
    • Investigate logins from unusual locations, devices, or times.

Real-Life Example:
In the Sony Pictures hack, stolen credentials were a key enabler for the attackers, allowing them to exfiltrate massive amounts of sensitive data.

Analogous Threat Actors:
APT28 has exploited weak password policies and lack of MFA to gain initial access and execute large-scale espionage campaigns.

Conduct Regular Security Audits

Routine audits identify vulnerabilities, misconfigurations, and outdated practices, helping organizations stay ahead of threat actors.

Operational Guidance:

  • Audit Frameworks:

    • Use established standards like the NIST Cybersecurity Framework (CSF) or CIS Controls as a foundation.
    • Conduct tabletop exercises to simulate real-world scenarios and test response readiness.

  • Patch Management:

    • Centralize patch deployment using tools like SCCM or third-party platforms.
    • Prioritize critical patches, particularly for vulnerabilities in widely used software.

  • Penetration Testing:

    • Engage red teams to simulate advanced persistent threat (APT) scenarios.
    • Use penetration test findings to refine detection mechanisms and close gaps.

Real-Life Example:
The WannaCry ransomware outbreak exploited a well-known SMB vulnerability (MS17-010). Organizations that patched proactively avoided widespread disruptions.

Analogous Threat Actors:
The Conti ransomware gang has exploited unpatched VPN vulnerabilities, emphasizing the importance of regular audits.

Enhance User Awareness

Users remain a critical line of defense against phishing, social engineering, and other common attack vectors.

Operational Guidance:

  • Training Programs:

    • Implement phishing simulations and provide immediate feedback to employees.
    • Conduct workshops showcasing real-world examples of social engineering and phishing campaigns.

  • Quick Reporting Mechanisms:

    • Create simple reporting tools, such as a “Report Phishing” button in email clients.
    • Incentivize proactive reporting by recognizing employees who identify real threats.

Real-Life Example:
The 2016 DNC breach was facilitated by a successful phishing campaign. Awareness training could have mitigated the risk by enabling users to identify the malicious email.

Analogous Threat Actors:
Emotet’s success as a malware delivery platform is largely due to its effective phishing campaigns, underscoring the need for continuous user education.

APPENDIX

References

  1. Proofpoint Blog
  2. QuoIntelligence Report
  3. AttackIQ Response
  4. Microsoft Security Blog: Volt Typhoon Targets U.S. Critical Infrastructure with Living-off-the-Land Techniques
  5. HackerOne: Advanced Persistent Threats - Attack Stages, Examples, and Mitigation
  6. CISA Known Exploited Vulnerabilities Catalog
  7. SolarWinds Attack Analysis
  8. NotPetya Analysis: Lessons Learned
  9. MITRE ATTACK GROUP - APT41
  10. HHS CyberSecurity Program - 2019
  11. Google - APT41 dual threat

Mitre ATTACK TTPs

  1. T1071.001 - Application Layer Protocol: Web Protocols
  2. T1105 - Ingress Tool Transfer
  3. T1566.001 - Phishing: Spearphishing Attachment
  4. T1078 - Valid Accounts
  5. T1059.001 - Command and Scripting Interpreter: PowerShell

Mitre ATTACK Mitigations

  1. M1030 - Network Segmentation
  2. M1041 - Network Intrusion Prevention
  3. M1021 - Restrict Web-Based Content
  4. M1054 - Software Configuration
  5. M1017 - User Training

AlphaHunt

Get questions like this? Does it take a chunks out of your day? Would you rather be working on more interesting intelligence tasks? Would you like help with the research?

This baseline report was thoughtfully researched and took 5 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2024 CSIRT Gadgets, LLC
License - CC BY-SA 4.0

Read more