Can You Hear Me Now? Good — Because Volt Typhoon Can, Too

All right. How you doing everybody? My name is Dave Branskam. I am a global partner solutions architect focused on security uh with Microsoft. And why is my thing not working already? This is great. All right. Let's try this. There we go. All right. See if this gets going now. Okay. So, that's me. If you want to close up. Um, I've been at Microsoft for about 18 years. Variety of roles. I started out in uh consulting services, moved over to what uh used to be called Premier um where I worked with some federal government agencies and uh worked on their their environments. Um I do live in Raleigh, North Carolina, so I'm relatively close to everybody. And I

have uh I I I love security certifications. If you have any questions about security certifications, feel free to ask me. Um I've got 14 GXerts. I'm working on two more. The the machine learning one and uh I can't remember the other one, red teaming or something like that. Um I have 36 active Microsoft certifications. Um I've passed 85 something like that of them. Um I just can't keep up with those things. Anyway, that's me. Okay. So, what we're going to talk about today is Bolt Typhoon. Who's heard of Bolt Typhoon? All right. or salt typhoon. Right? So, the story begins at three o'clock in the morning on a tiny island in the Pacific named Guam. Okay, that's where it

begins. There, a telecom engineer notices something unusual going on in his environment. He sees some admin loginins that don't quite fit with the timing. 3:00 a.m. is is an odd time for an admin to be logging in. So he contacts Microsoft and that's where the story gets good. Now who is Volt Typhoon? So number one they are a state sponsored AP group. Um they've been active we know for sure since at least 2021. Uh they were definitively identified by Microsoft in 2023. And uh given characterization of of what their targets are, typically their targets are in the area of infrastructure. So they're looking at things like telecom and shipping and power grids and and uh uh uh things that

support um uh the movement of materials and things like that. So uh while their emphasis is on telecom, they do attack these other areas as well. One thing that is very unique about Volt Typhoon is they are very stealthy. They are very quiet. They have exceptional OPSSEAC. They don't want to be found. They're not interested in in making a big splash with anybody. They just want to exist in the environment and do their thing. So, they've been tracked by Microsoft as part of their typhoon classification system. Now, for the first prize that I'm going to give away, which is a lockpick set, I'm going to ask you, so we all know Volt Typhoon is which country?

>> China. Now, here's here's the question for you. What is Microsoft's designation for United States as a threat actor?

>> Are we not threat actors? There you go. Tornado. It's not official, but that's uh that's accurate. So, why tornado? Obviously, it's a a uniquely uh American kind of uh tor uh weather system. All right. Good. Um so, so one of the things that is very interesting about Volt Typhoon is like I said, their their obsession with stealth. they are very very uh concerned about remaining quiet and and kind of living under the radar. And what's interesting is the point that I make here, one of the few threat actors that is known to actively avoid malware entirely in their operative uh phase of their their attacks. So while they do use some malware in the staging part, in

the operational part where they're actually uh uh looking at the environment and and excfiltrating data, they use nothing that looks like malware. So it makes them very hard to detect and we'll we'll see why that's true um as we go through this. So the first signs of bolt typhoon as I mentioned came from very subtle indicators uh that were taking place against US critical infrastructure on the island of Guam. [clears throat] So um as I mentioned there was a telecom engineer from this company NT Docomo uh that was operating out of Guam. So 3:00 a.m. he notices this kind of odd activity. Little did he know that he was the first eyes and ears to notice

something wrong in one of the biggest breaches in recent memory. So, um, as you can imagine, his name is not being made public. So, [laughter] I'm not sure that I would want my name being public in in that kind of, uh, situation either. So, he contacted Microsoft. Microsoft, we we brought our thread analysts in and and started looking around. And what we started to notice was that Is that me binging? Am I hitting something? Maybe. >> Okay. Okay. I I I I thought I heard something clanging. Um it's just the things rattling in my head. So um where was I? So the the the Microsoft people came in, they started looking around and they began to realize that

hey, we're seeing similar types of activity in other critical infrastructure um components in the Asian Pacific region. So this this looks like a bigger a bigger scale attack than just this one telco uh on the island of Guam. So by May 2023, uh Microsoft deemed that the campaign was serious enough that uh it had to go public. Uh this was done in conjunction with uh the five eyes. So um US, uh UK, Australia, New Zealand, Canada, is that the five? Yeah. um and they went public with a with an advisory and you can download that advisory uh and it has all the the the TTPs and um some of the IOC's that you can look at

for uh identifying this threat actor. So this is one of the few times that Microsoft has actually gone public um about an AP campaign in conjunction with government agencies. So it doesn't happen a lot but this one was deemed to be significant enough uh that we did. So one of the the so part of my role at Microsoft is I work with Microsoft partners. One of the partners that I work with is Lumen. [clears throat] Lumen has um a thread intel group called Black Lotus Labs and they do a great job of of identifying botn nets and threat actors activities around the world. and they identified um this one kind of interesting thing. They they created a

graphic for it. Um and this is how in part they were uh the the threat actor that became Bolt Typhoon was linked to China. So along the bottom what you see is the the hour uh from China standard time. So the attacks um as you can see start and and and what what this is actually depicting is um the activity on the botn nets that uh Volt Typhoon was was running. So like I said they they they did have some uh malware that was running on some botn nets that were composed of home routers. Um we'll talk about that in just a few minutes. Um, but when those botn nets were active corresponded with 8 to5 uh China

standard time. And so that's kind of a pretty good indicator that that's that's where a lot of the stuff was coming from.

Now, Volt Typhoon is basically the opposite of what you might consider a typical threat actor to be or um more specifically the the financially motivated threat actors, right? They didn't come in, they didn't smash and grab, they didn't uh try to knock down the doors and make sure that everybody knew we're here and we're going to uh ransomware your entire environment and you're going to you're going to pay for this. Um they are silent. They are a very very long-term threat. Um in in most cases they were in the environments for about a year in some cases as long as five years. Uh they were in the environment and not detected till this one guy noticed something unusual. So

they weren't looking to extort money. They weren't looking to deface any systems. They just wanted to exist in the environment and gather information. So if you think about that, it kind of leads you to the question, you know, what was their goal then? If they weren't in it for the money, if they weren't in it to to destroy, what were they doing? And that's what the second bullet point is saying, that they were probably prepositioning in the Asia-Pacific region in the event of a conflict. So, um, if there ever were heightened tensions in the Pacific, which is about every other day now, um, they would be in a in a position to try to, for

example, cut off communications to the US. So, uh, there are many articles that you can find that, uh, uh, describe how China is prepositioning themselves for this type of of a conflict. And a lot of it has to do with destroying communications. So why Guam? Well, Guam might seem to be a relatively small island, but it plays a massive role in communications for the US military as well as um uh telecommunications um in that entire region. So they're the the thing in the circle and those are telecom paths that uh you can see they kind of just branch out from there. there. It's like a star uh that that comes right out of Guam. [clears throat]

What's interesting too, if you see along the just below the red line, you see some satellite orbits uh being depicted. And it wasn't just the telecom infrastructure, it was the satellite infrastructure that was also compromised. So, they had access to to both of these. Now, again, um I I I kind of named the deck or or or this presentation maybe incorrectly because they weren't listening to telephone calls, right? So their goal was not necessarily to eavesdrop on what was going on. Their goal was to get ready to prevent that type of communication from happening um in the event of a war. So that disrupt the the disruption that they planned could create chaos um in in

the US military. Um there are a couple reasons why that's true. So Guam has some strategic military significance, right? So you've got Anderson Air Force Base uh that that that's uh located on Guam. You got uh Naval Base Guam. So it's a it's a big central location for the US military to uh go out into the region which might include Japan, South Korea um Taiwan, obviously, Australia, that that whole area. Um and it would be central for any US response to Chinese aggression against Taiwan. Right? That's where a lot of the logistics and staging would take place um if there was an attack against Taiwan. Uh Guam also hosts a pretty significant uh amount of infrastructure that's

leveraged by the US military. So the Guam Power Authority supplies about 20% of the energy that the US Navy needs in that region. So if they could cut off that energy supply, that would be a significant impact uh to the military's ability to operate in the region. Um as I mentioned, they're probably also definitely also prepositioning for a conflict. So um the prepositioning allows them to be in a position where they can disable communications, disable power, um cause difficulties for United States military in that region. It does also happen to be geographically located uh very close to many of the areas that China cares about and and uh you know the the conflicts that are

taking place in the South China Sea um even if they don't attack Taiwan, the South China Sea uh stuff that they're engaged in uh could also be impacted by the US military presence on Guam. The last thing is that Guam is not a particularly strengthened um island from a from from a cyber perspective. So their infrastructure was relatively vulnerable. Um and so it was an easy target for the Chinese to get in and now they have a kind of a a foothold in this very large region that was strategic militarily for them. So, how did they do it? Um, this is Microsoft's depiction of the attack, how it took place. And I don't know about you, but when I look at this,

I admire the simplicity of what they did. This was not complicated how they did it. Probably the most complicated part are the first two stages on on the uh the left hand side of the slide where they're developing their resources. They have to have a compromised um home router network that they can operate through and then they had to get in through a series of edge devices at the at the target networks which might be something like a a Fordinet forigate or VPN concentrator that they would use to to get in and then after that it was kind of just living off the l those stages as we go through this but uh a very elegant very quiet operation

really really good operators uh that were doing this good from the perspective of talent not necessarily good from the perspective of uh good guys so as I mentioned one of the things that they they did was they compromised a large number of home routers so your DLinks your Netgearss your ASUS your Cisco um around the world and that became their proxy network that they operated through and the goal was to obfiscate where the traffic was coming from, right? They didn't want the traffic to be obviously coming from China and so they uh compromised these these home routers. This is the only stage where malware was used. So remember the the picture I showed you of

the um uh the Lumen Lotus Black Lotus Labs uh diagram. Those are um indicative of the botnet that was part of or that these routers were part of and they did have malware on those routers. But after this, no more. Everything else after this was just living off the land land. So once they had this uh uh area of of uh or or or or botnet of of these home routers that they could operate through, then they began to target uh the actual environment. [clears throat] And so they would start the attack by getting into a network device that was internetf facing. Um in many cases in this particular attack it was a forinet forigate uh either firewall or VPN that

was used to gain entry. um there was a known bug in the software that hadn't been patched and uh so so really what was elegant about this is that they didn't even have to kind of tip their hand by sending out fishing email, right? So a lot of times we see that as as kind of the precursor for attackers is they send fishing email to try to get into the network. These were just firewalls that were unpatched. they could just get in uh through that unpatched firewall and they were um able to to take advantage of uh of that access. Now what made this twice as bad is that because the forinets were integrated with active directory there

was a stored admin credential on the forinets. So the attackers could get in, they could look at the device, extract a domain admin credential, and there they go. You know, they're off to the races. They have domain admin credentials immediately on the network, and they can kind of do uh whatever they need to do. So again, this is this is part of how they did this so stealthily. They were using legitimate usernames, legitimate passwords, and so unless you were paying really close attention to what was taking place, it would be hard to identify uh that this was malicious activity. It just looked like valid access. And so that's how they had made this this uh uh progression to the

inside of the network and and were successful. try to think of what my next uh question will be for the other prizes. Hang on. Um, okay. Before I go to the next slide, who can tell me what the utility is that you can use on a domain controller to back up your um active directory database? >> What's that? What >> house? >> Oh, blood hound. No, no, no, no. >> NTDS util. Good. All right. So, we get a USB router there. All right. So, that's one of the things that was used here. So, once they get into the network, um they have one domain admin credential by by extracting it from that that Fordinet uh appliance. Now the goal is how many

more credentials can I get just in case this one credential the password rotates or somebody identifies you know that that they're using this I need as many credentials as possible and so one of the things that they did was they would dump passwords from Elsass is a process that runs on Windows machines where usernames and passwords are stored in temporary memory and you can extract those from memory and uh uh use them. But the NTDS util is uh one of the ways that you can make a copy of your entire active directory database. And so uh they would run this NTDS util which again is just uh a tool that's built into um the uh uh the operating

system when when you have domain controller. NTDS util is one of the tools that uh is just provided by Microsoft. So, they weren't doing anything that was necessarily going to to uh tip anybody off that there was something bad going on. They would make a copy of the entire Active Directory database. They would then move that copy of the database offsite and then they could crack the passwords in that database and then they have not just the keys to the kingdom from a domain admin perspective but all the king all the keys to the kingdom including every single user in the environment if that's what they chose to use. So they extracted these from an

offline backup. Now, as a pro tip, you should never see admins running NTDSU till every 30 days. And that's what was happening, right? So, uh this was happening in in this environment, uh every 30, 60, 90 days, whatever. It was some kind of a regular regularly scheduled thing that they were doing just so that they had the latest copies of the the passwords and everything. That should not ever be happening. Okay. So, um, you know, god forbid it's happening in your network, but if you see this happening in your network, you know, raise raise a raise a flag, right? This is something that you shouldn't be seeing. So, they've got all the passwords now, right? They've got all the passwords and

now what they want to do is figure out, okay, what's on this network? And the way that they did this again is using standard things that are built into Windows. So, in many cases, they use things like remote desktop. they would uh use uh connection to SMB fileshares, whatever kind of tools that an admin on the network might be using, they would use the same tools and they would do this um in a way that would blend in with your typical IT activity. So they would use PowerShell, they would use Windows management instrumentation, they'd use command lines, they'd use things like IP config, they'd use ping, they'd use Who am I? PowerShell scripts. The same things that

you and I would use on a daily basis to do good things on the network. They would use those things in a way to identify what else is out there, what's interesting, what machines have uh databases that I care about, what file servers have copies of the network uh that I care about. So uh these are all uh some of the activities that they engaged in. And uh again simply because they were using tools that we use on a daily basis, it was very very hard to identify uh the the maliciousness of the activity. So they're kind of roaming the network looking at everything that's going on and now they have to figure out, okay,

how do I get this information out? And again, they didn't do anything terribly um unique, anything terribly scary. Their goal was to collect documents, configuration files, email, whatever it might be, and then just zip it up, maybe password protect the zip file, and slowly start moving it out of the network so that it didn't raise any any red flags. Now what's interesting if you think about this is um for for the the the time period that they were operating in in the Pacific region which like I said was you know 2021 to 2023ish um AI was not widely being used right so when they got a lot of this configuration information these network maps and things like that they had to

have somebody sit down and look at it and say, "Okay, here's here's what this looks like. Here's some machines over here that we care about. Let's find out if if they have these vulnerabilities and whatever." Now, they can just feed that into an LLM and get the answers back within minutes, right? So the time frame that we have to protect our networks has shrunk dramatically because they're going to use LLMs to um find those vulnerabilities, get uh recommendations on how to compromise those vulnerabilities and uh that that puts us in a in in a little bit of a hole. [clears throat] Um so finally they they would excfiltrate the data and um they would do this in in very small chunks, right?

they'd use covert channels, go through those router proxies that we talked about, um, just to avoid setting off any alarms. So, it's possible that, uh, some of the data didn't leave for months, even years after they got their initial access because, again, their goal was not necessarily to steal data. Their their goal was to implant themselves and be ready when the time came, right? the stealing the data was was secondary maybe uh their first objective was be ready for a war. So how did they maintain their persistence? So if you're familiar with uh something like interpreter um uh a reverse proxy is is a fairly common way that uh attackers will use to uh compromise an environment and maintain

their persistence in that environment. So one of the tools that they used was fast reverse proxy. They also use something called impact uh for network operations. And the basic idea here uh I'm going to kind of walk you through how this actually works [clears throat] is if you're an attacker and you want to RDP to the machine on the right hand side, which is a client machine, um chances are you're not going to be able to just RDP directly through uh from your location in China all the way to the internal network, right? You're going to have to figure out some other way to do that. And so what they'll do once they've already compromised the

environment, they want to be able to make sure, okay, I need to be able to make sure I can get back into this environment at a later point, right? So what they'll do is they'll uh use this uh fast reverse proxy. There's an INI file that you can configure and you'll have a fast reverse proxy server, which is the machine in the middle there. It's going to be running FRPS.exe. That's FRP server.exe. And then you've got FRPC exe which is your client piece running on the machine that you want to RDP into. So the way it works is this. You configure the uh the server to listen on ports let's say 700 and 3389. Okay that's uh you configure that in the

INI file. Now that server is listening on those ports. The next thing you do is um uh what what what that enables is the client to uh establish a connection with the server. So after the connection has been established, then um it runs FRPC uh.exe that's installed on the target PC and tries to establish a connection back uh to the server uh which is our relay device. When the relay and the target PCs are connected, then the attacker on the left hand side is going to try to connect to the target PC. So he says, "Okay, I want to connect first to server Y um over port 23389." So he makes that uh connection to the

server. the server because it's able to proxy that connection filters it down and makes the connection over port 7000 to the client machine. The client machine is then or the the the server rather is able to connect to the client machine and then once they're on the client machine then the client machine can forward to port 3389 which is RDP and they can RDP on that machine. Now the the advantage of it I mean it seems like a very complicated way to do things but the advantage here is that this um uh this method of of of establishing persistence allows them to uh keep that persistent um uh presence even through reboots. So if the machines are rebooted

um then the the the the client and the server come back up they establish that connection you make the connection again to the uh the reverse proxy server and you can get back in even if the the um the end users reboot the machines. So it's a it's an elegant way to maintain persistence on the environment. And like I said this is not uncommon. um it's what you use with interpreter and and you know other tools. So how did they cover their tracks? One thing as I mentioned was simply living off the land. So they used tools they used uh uh processes that are are very commonly used um in uh you know t typical Windows administration

processes. And so your antivirus, your edr, there was nothing to detect that was out of the ordinary, right? You're running PowerShell, you're running window uh WMI, you're running a command line. There's nothing wrong innately with those things. Their goal with running them was was improper, but uh the um uh the EDRs wouldn't necessarily pick up anything uh wrong on that. They would also clear their logs or um disable certain logging in order to wipe evidence. So they were very careful not to set off any [snorts] security alerts um for example by simply uh deleting uh all the event logs or using tools um that don't leave obvious footprints. So what have we learned from this?

First one is keep your house in order. [laughter] So SISA issued this advisory that said that threat actors are compromising small office home office routers by exploiting software defects. And so yeah, there's there's an obligation by the uh the vendors who make these products uh to take care of of patching them and so on, but there's an obligation on each of us to make sure that our infrastructure at home is well taken care of because that's what they're leveraging. They're counting on home users not being savvy enough to know I need to patch this stuff. I need to upgrade these things. Sherrod Deg Grippo, who is the director of thread intelligence strategy at Microsoft said, um, please go home and

patch your routers and then on your next day off, go patch your parents' routers. I think that's a brilliant statement, right? So, what are the chances that your parents are going to update their routers? Anybody? >> No. My dad uh just yesterday while I was driving here, he called me and said um I was just listening on the radio and they said uh not to upgrade from Windows 10 to Windows 11 because Windows 11 deletes all your data. Is that true? I said, "Dad, you've been on Windows 11 for five years. What are you asking me for?" Oh, okay. Yeah. Yeah, you're right. You're right. So, what are some things that we can look for?

>> [clears throat] >> Let's take a look at the at some of the things that um we can be observant in our own network and figure out uh if uh if something like this is happening. And this applies whether or not the biggest threat on our radar is the Chinese government or somebody else. These are the these are good practices regardless of of what what our uh our biggest threat is. So, one of the first ones is look for strange admin locations. So, if you see an admin account or any account that's logging in from an IP address that doesn't fit, um that should that should be a red flag, right? Make sure that um that you're

paying attention to those things and and UIBA uh user entity behavior analytics is a big um help in identifying that sort of thing. Um, you know, I'm not going to be the Microsoft shill and and say, you know, you have to go buy Defender Plan 2 and blah blah blah blah blah, but there are tools that are built into Entra and that are built into, for example, Sentinel that uh track user and entity behavior and uh can alert on things that are unusual, right? So in Volta Typhoon's case, they piggybacked on those hacked home and office routers and uh so so it may look like their access was coming from some random Comcast or or or China Telecom IP

uh that your your admins typically wouldn't uh be using. The second one is credential dumping activity. [clears throat] So any sign that LSAs memory is being dumped um is bad news in your Windows logs. Uh you this might show up as uh some uh certain suspicious event ids. Um if you look at the the top um harden credential stores um there's some guidance there for how to use credential guard. We also have remote credential guard for uh remote desktop sessions that you can use as well. Um and and and can allow you to protect your uh uh your LSAs uh stored memory. Um also uh, as I mentioned, using NTDS util should immediately raise a raise a flag, right? There's

there there's a there's a limited number of reasons why you should be running NTDS util and uh, generally the admins on the network should be aware that this is what's happening, right? If it if it's happening without their awareness, uh, there's there's generally a problem. And then look for suspicious archive or file creation uh, types of activities. So, an unusual number of password protected zip or raw files in temporary directories, in user home directories. Um, those might be an indicator of an attacker staging data to exfiltrate at a later time. What else can we look for? Um, so the the the port proxying, the forwarding that we talked about, the fast reverse proxy, how do I identify that sort of

thing? So we want to be able to identify what ports are our machines listening on and um how can we identify whether this is this is bad activity. So Sandia Labs has guidance on detecting use of proxies that's uh up at the up at the top of uh of the right hand side. So that's a that's a good resource to use um for um identifying machines that are prox possibly being used to proxy data. and then look for things like log clearing. Like I said, in in the case of um Volt Typhoon, they didn't do a lot of log clearing. Um but they did do some and so when that happens, that should maybe uh

be something that you take a look at. [clears throat] So if they're using WVT util, uh that might be one of the the things that you look at. Um I did on the bottom right uh provide a link to Black Lotus Labs uh their list of IoC's for Volt Typhoon. It is very interesting to to look at and and find the IP addresses and file hashes and whatever that uh that they were able to identify as being associated with Volt Typhoon. And if you don't already have those ingested or or uh listed on your um your SIM, it' be a good idea to do that. So, what did SISA recommend in terms of priority actions for organizations?

Um, it's all stuff that we've all heard over and over and over again, right? Apply patches to your internetf facing systems. Prioritize patching your critical vulnerabilities. Um, implement fishing resistant MFA. Anybody want to tell me what fishing resistant MFA is for a book? >> Huh? What's that? I I I I didn't know who answered. >> Not as much. >> Oh, not SMS. Okay. Yeah. Yeah. Yeah. Go ahead. >> Okay. That's an example. But what what is the idea behind fishing resistant MFA? What what's the goal? >> I saw your hand up. >> To make it where you're logging in. not just say yes. >> Yep. Yep. Good. >> So maybe that's type in a number or

something. >> All right. Good. So UB key is one of the examples. Uh not SMS is one of the examples. [laughter] Um maybe not the the exact thing I was looking for. But but but yeah, so um it's no longer the case where we can simply say just use MFA because SMS is an MFA, right? So um it's not the the one that we want to be using. The third one, ensure logging is turned on for application access and security logs and store those logs in a central system. Um, everybody using some sort of SIM or log aggregation location of some sort. Oh goodness. Okay. All right. And then lastly, plan end of life for technology beyond manufacturer

supported life cycle. So, a lot of those small office home office routers were out of date. They were no longer being supported by the uh by the vendor, but they're still out there and new vulnerabilities are being identified on a regular basis. So, it became uh pretty easy for the attackers to to take advantage of them. Now, the one one thing that I think is just really really interesting about this, right? Microsoft is is bad about this. You know, we talk about how AI and co-pilot and this and that and all this is going to make, you know, make your sock run on AI and blah blah blah blah blah, right? Everybody's heard that from your Microsoft people,

right? You want to you want to use uh AI agents and you want to use this that and the other thing. What was it that solved the problem here? It was one person paying attention to their environment. That's what caught it. It wasn't co-pilot. It wasn't some mysterious AI tool. One guy found what was going on and he raised a flag. So AI is great for some things, but there's nothing that can replace right now the ability of a human to reason on something and make a decision about whether it's good or bad. Right? So never forget that you have the ability to impact uh the security of your environment just by paying attention. And that's it.

Any questions, [applause] >> sir?

Friday night. [laughter] >> I So I I don't know. Um I could I could talk to Lumen and see if they have any ideas about why that was true. Um maybe uh some uh some guy didn't have much of a a life and so he was working on Friday nights. I don't know. [laughter] I don't know. I don't know what it was, but it's I mean it's a good question. I I I wondered the same thing like why why this one little uh section? But uh if anybody has any ideas, I'm happy to hear them.

No, no, no. So, so that's what they were backing up. So, so the uh NTDS util can be used to uh create a backup of your directory so that you create another domain controller very easily with that backup. So, that's what that was.

>> Theoretically, no. Right. I mean all you have to do is bind against LDAP and read. So I >> Yeah. >> I mean I >> Yeah. I I I I don't know what the what the reason would be why they did that, but um I I don't I don't work for foret. I don't know. >> Sir, >> I'm sorry I missed the first party question. >> Yeah. Every single piece of every single

black.

So when I look at that

old techniques that were either notic >> well >> that's true and that's because what they were using is things that you use every day, right? That's that's what was the key is that they they didn't This is what

>> you have a whole lot of people that can elevate their privileges to do ads, You have a whole bunch of people that can elevate their privileges to domain admins right? >> Got it.

>> I'm saying

>> and and and that that's fantastic, but not everybody's doing that kind of uh granular alerting. That's fant. I mean, what what you're doing is what what we expect everybody to be doing, right?

>> Maybe

[laughter] Yes sir.

>> Oh yeah. Yeah. Yeah. Yeah. So for sure what one of the things that that they did um so it wasn't simply that they would get into the Windows network, right? Typically the Windows network is the bridge into the OT network, right? And so that's really where their their their goal was is to get to the the stuff that runs the power grid, the stuff that runs, you know, the the the the telecom and stuff like that. That's all OT stuff. So they were definitely uh uh making movements in into that. I was primarily talking about the Windows part of the environment. So, so yes, 100% that that they're doing that.

>> So, they have to have already made um uh they have to have already landed inside the network and and [snorts] been able to install on that machine. What you're trying to do is establish persistence so that even if you get booted out, you have a way back in. So, um, the the the the INI file that you configure, that's what kind of gives you that that doorway back into the network if something, you know, kicked you out. >> That's not >> that that's not how they got in. >> That so, so that's true. So, that is um uh not necessarily living off land, but they could also do netsh port proxy, right? And and that would do the same

thing.

Yeah. Yeah. So, so in that case, it was not living off the land, but they still got away with it. >> Yeah.

Cisco, US So I think you're thinking of Salt Typhoon. >> So Salt Typhoon probably the same guys or you know at least a subset of that that group um that knows the telecom infrastructure and knows kind of what to look for. Uh they're the ones that infiltrated Verizon, AT&T, all that stuff. That's that was a little bit later. It was like it was like last year I think. Can't remember exactly when it took place. Might might have been I can't remember when when the salt typhoon thing happened. I think that was last year. But but the bolt typhoon was uh year before. >> Yes sir.

>> Um you mean the the researchers at Lumen?

>> Well, I mean one of the ways you you'd be able to see um from the logging on like the Fordinets, you'd be able to see what IP address was connecting to it. That that'd be one way. Right. Right. >> Oh, sorry.

>> Do we know how long the >> How long it was? You mean how long they had persistence? >> Oh, years. in some cases as much as five years. Maybe maybe even still. Who knows? >> I wouldn't be surprised if some of them do. >> Well, what was the what was the idea behind your question? >> Huh? >> Oh. Oh, you're asking about how many hops? >> Yes. >> Oh, uh, that I don't know. I don't know. I don't know if there was anything defined about that. You know what you can do is is look at that CISA advisory. Um they they go into a lot of detail about how exactly that was performed and

exactly what uh um tactics were used. So they might might mention that. All right. Well, thank you everybody for your attention. Appreciate it. [applause]