Volt Typhoon is a Chinese state-sponsored hacking group that has been active since at least mid-2021, targeting critical infrastructure sectors in the United States and its territories.
The group employs sophisticated techniques to infiltrate networks by using “compromised routers” and “other devices” to maintain a low profile while conducting “espionage.”
One of the security analysts, “Owaiz Khan” recently identified that the “ExoneraTor Tool” which helps in detecting “IP addresses” was linked with “Tor Network,” and uncovered “Volt Typhoon.”
ExoneraTor Detect IP Address
ExoneraTor was developed by The Tor Project and it is a specialized tool that verifies whether a given “IP address” was part of the Tor network on a specific date.
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
This web service aids “law enforcement,” “researchers,” and “individuals” in investigating online activities involving Tor.
It functions by “querying historical data” about “Tor relays,” like “exit nodes,” “middle relays,” and “entry guards.”
Users can input an IP address and date to determine if it was operating as a “Tor relay.”
ExoneraTor helps in ‘digital forensics,’ ‘tracking Tor infrastructure changes,’ and ‘investigating cases where online anonymity is a factor.’
For instance, it can confirm if an “IP was a Tor exit relay,” via which “anonymous internet traffic” emerges.
The tool also provides additional data like “relay fingerprints.” These types of data are unique identifiers for “Tor nodes.”
This information is important for understanding “Tor network dynamics” and can be “cross-referenced” with other “Tor metrics” for “comprehensive analysis.”
While ExoneraTor is valuable for verifying “Tor involvement,” but it’s important to note that “Tor usage” itself isn’t inherently indicative of illicit activity. Since the network is also used for “legitimate privacy protection” as well.
Analysis of “ExoneraTor results” and “Tor network consensus data” suggests “67.205.139.175” was likely not used by “Volt Typhoon” as a “Tor exit relay” to mask connections to the C2 server at “45.63.60.39.”
However, conclusive evidence requires additional information like “port numbers” and “traffic metadata.”
According to researchers, organizations should implement strategies from the “Identifying and Mitigating Living off the Land Techniques” guide to enhance the detection of “LOTL” techniques.
These include establishing “robust security baselines,” “employing behavior analytics,” and “conducting proactive threat hunting.”
Due to ‘inadequate practices’ and ‘undefined normal behavior patterns,’ many entities struggle with “LOTL detection” not only that even such a scenario also makes it difficult to determine the “malicious activities.” Traditional “IOCs” often prove insufficient for identifying LOTL attacks.
A comprehensive cybersecurity approach incorporating “advanced anomaly detection,” “sophisticated behavior analysis,” and “continuous proactive hunting” is crucial for effectively mitigating LOTL threats in modern network environments.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)