Skip Navigation
BlackBerry Blog

BlackBerry Protects You From Volt Typhoon

Volt Typhoon — an alleged state-sponsored threat actor based in China that specializes in espionage and information gathering — is undertaking actions that threat researchers believe may someday be used to disrupt critical infrastructure in the United States and Asia.

Profiled in the latest BlackBerry Global Threat Intelligence Report, the group is known to achieve initial access through remote and hybrid employee devices to reach targeted organizations. Volt Typhoon exploits internet-connected small office and home office devices (SOHO) that often expose HTTP or SSH (Secure Shell) management interfaces to the internet.

The threat actor attempts to abuse any privileges afforded by a device, extracts credentials to a Microsoft® Active Directory® account used by a compromised device, and then attempts to authenticate to other devices on the network with those same credentials.

Volt Typhoon then attempts to establish persistent command-and-control by dumping the local security authority subsystem service (LSASS). This Microsoft Windows® OS (operating system) process is responsible for enforcing the Microsoft security policies on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows security log. Dumping this process allows for credential exfiltration.

Once Volt Typhoon gains access to a target environment, the threat actor begins conducting hands-on-keyboard activity via the command line interface. It is important to note that Volt Typhoon rarely uses malware to achieve its nefarious objectives. Instead, the actor relies on living-off-the-land commands to find sensitive information on the system, discover additional devices on the network, and exfiltrate data.

LSASS Abuse Common in Windows-Based Security Attacks

Microsoft acknowledges that attacks frequently target the LSASS (local security authority subsystem service) process memory because it can store both a current user’s OS credentials and also a domain administrator’s. Dumping LSASS credentials is important for attackers because if they successfully dump domain passwords, they can, for example, begin using legitimate tools such as PsExec or Windows Management Instrumentation (WMI) to move laterally across the network and exfiltrate additional data. They can also use techniques like pass-the-hash for lateral movement if they manage to obtain the password hashes.

This attack targeting operating system processes highlights the importance of decoupling operating systems and security tools to encourage a strong and diversified security posture.

BlackBerry Protects Customers Against Volt Typhoon

BlackBerry has tested all known versions of Volt Typhoon’s custom proxy tool and confirmed they are convicted by BlackBerry’s Cylance AI. To provide defense in-depth, BlackBerry recommends the following actions be taken using its CylancePROTECT solution:

  • Activate Memory Protection for LSASS Reads (Memory Actions – Escalation – LSASS Reads)
  • Enable Script Control with PowerShell set to Block. 

In addition, BlackBerry recommends activating the following CylanceOPTICS rules:

  • Account Discovery (MITRE), Official
    • This detects the use of account discovery probe techniques and methods present in ‘net.exe’ and WMI.
  • Account Discovery - Windows (MITRE), Official
    • Indicates that ‘net’ or ‘EnumerateAdmins’ key is being used to discover accounts.
  • Netsh DLL Persistence, Official
    • Netsh can be used as a persistence proxy technique, firewall control, pivoting, sniffing, and as a wireless backdoor.
  • Win Credential Theft MITRE T1003
    • This detects a variety of techniques used for credential theft.

BlackBerry UEM Secures Home and Office Employee Devices

BlackBerry’s patented elliptic curve cryptography technology, found in BlackBerry® Unified Endpoint Manager, keeps work data safe from exfiltration, on desktop and mobile devices, via the BlackBerry Dynamics® container. BlackBerry UEM has a record number of security certifications and is trusted by the world’s most security-conscious organizations, including 17 of the G20 governments, many of the largest banks, and more.

BlackBerry Secures Microsoft 365

BlackBerry provides enhanced integrations between UEM and Microsoft 365, so enterprises can benefit from BlackBerry’s mature security solutions while using Microsoft’s productivity products. BlackBerry’s enablement of Microsoft 365 amplifies productivity potential and empowers enterprises with the standard for secure productivity.

Help Responding to Volt Typhoon

If you are looking for protection against cyberattacks that lets you sleep well at night, please contact BlackBerry. The team works with organizations of every size and across any vertical, to evaluate and enhance your endpoint security posture and proactively maintain the security, integrity, and resilience of your network infrastructure.

For emergency assistance, please email us at DLIR@blackberry.com, or use the hand-raiser form

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.

Noah Campbell

About Noah Campbell

Noah Campbell was previously a Senior Elite Technical Marketing Specialist at BlackBerry.