Since mid-January 2024, security firm Trellix has detected more than 7,100 malicious activities associated with China state-sponsored advanced persistent threat (APT) group Volt Typhoon.

Volt Typhoon is relatively new and concentrated in their activity, and how they target their victims is unusual.

They target critical infrastructure in the pre-attack phase with the intent to prepare for a disruptive attack rather than intelligence gathering, which is the typical strategy of threat groups aligned with the People’s Republic of China (PRC).

Their tactics, techniques and procedures (TTPs) rely heavily on leveraging legitimate software tools (living-off-the-land binaries, or Lolbins) to try to stay undetected.

A Rise in Presidential Election-Themed Scams

The observed threats also include a rise in U.S. presidential election-themed scams including donation and taxation phishing.

Trellix reported more than 21 million detections of China-linked APT activities, with more than 22% targeting the government sector worldwide.

Casey Ellis, founder and chief strategy officer at Bugcrowd, explained China has been building broad, tactically useful persistence since 2020.

This involves “getting a shell in as many places as possible, just in case they need to use it later.” 

“Prior to this, most APT behavior, including that of the Chinese, relied on selective targeting for stealth,”  he said.

A similar pattern was seen with Russia’s SolarWinds attack, which compromised tens of thousands of organizations but only actively exfiltrated from a few.

“As for how Volt Typhoon plans to weaponize this persistence, we can only speculate, but it is clear there is a concerted effort to obtain it,” Ellis said. 

The report also noted an increase in threat actors using criminal tools to dismantle endpoint detection and response (EDR) solutions and found autonomous groups are selling their wares in penetration testing and alternative attack methods to ransomware gangs. 

John Fokker, the company’s head of threat intelligence, said the emergence of EDR terminator tools and increased use of legitimate binaries to execute attacks are at the top of the list of concerns.

“With increased global adoption of EDR solutions, many organizations have proven to better detect, understand and respond to more sophisticated attacks,” he explained.

Threat actors nowadays often rely on living-off-the-land binaries (LOLBins) and more complex attack methods. However, with EDR technology, it has become more difficult for attackers to remain undetected.  

“Attackers finding ways to circumvent these important tools is a significant risk to organizations and they need to ensure they are monitoring their EDR solutions closely,” Fokker said. 

He added these latest phishing email scams are just one example of threats leveraging elections, noting election and politically motivated cyberthreats are not limited to the U.S. and it’s important that SecOps teams are preparing for them globally.

“Even earlier this year, we observed Taiwan experiencing elevated cyberthreats ahead of its 2024 presidential election, likely aimed at discrediting a political party or disrupting the electoral process,” he said. 

As more hacktivists emerge, along with increased collaboration between nation-state groups and cybercriminal actors, political desires are expected to become a core motivator of nefarious actors.

Ellis pointed out that the rise in U.S.-politics-themed scams indicates that adversarial nation-states understand the significance of election years and are targeting the integrity of the democratic process to undermine their opponents.

“This evolution reflects an opportunistic approach to exploit current events and public sentiments,” he said. 

Ellis explained organizations and the government can better protect themselves by mitigating initial access vectors through training, filtering and blast radius containment.

Ensuring sufficient logging and detection engineering to identify the use of living-off-the-land binaries (LOLBins) is also crucial.

Ken Dunham, cyber threat director at Qualys Threat Research Unit, said Trellix’s report does a “great job” of capturing and identifying key metrics of the current complex poly-crisis, where several diverse and dynamic cyber threats exist and play off one another in a complex and ever-changing global threat landscape.

He predicted Nation-state disruption and attack would continue to escalate through this election year in the U.S., as evidenced in former Presidential election years.

“Expect significant manipulation of media, reporters and debate issues by adversaries, designed to divide the people of the United States and to create confusion and chaos,” he said.