来源

关联漏洞

描述

Interactive 3D visualization of China's Volt Typhoon APT attacking US critical infrastructure. Shows real 72-hour attack chain from CVE-2024-39717 exploit to water/power grid   compromise. Based on CISA advisories & Microsoft threat intel.

介绍

# Volt Typhoon APT Attack Visualization

## 🎯 Overview

An interactive 3D visualization of the Volt Typhoon (Chinese state-sponsored APT) attack on U.S. critical infrastructure, based on official CISA advisories and Microsoft threat intelligence. This educational tool demonstrates the complete 72-hour attack chain from initial compromise through data exfiltration.

## 🚨 Key Features

### Real Attack Simulation
- **CVE-2024-39717**: Versa Director zero-day exploitation
- **Living Off the Land (LOTL)**: No malware, only legitimate Windows tools
- **Multi-hop proxy routing**: China → New Caledonia → Pacific → Guam → Target
- **Critical infrastructure targeting**: Water treatment, power grid, SCADA systems

### Interactive Timeline
- **6 Attack Stages** over 72 hours
- **Speed controls**: 1x to 60x playback speed
- **Dynamic camera**: Follows attack progression
- **Real-time packet flow**: Visual network traffic

## 🛡️ Intelligence Sources

This visualization is based entirely on public intelligence reports:

- **CISA Advisory AA24-038A** (February 7, 2024)
  - "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure"
  - Documents 5+ year persistence in victim networks

- **Microsoft Threat Intelligence** (May 24, 2023)
  - "Volt Typhoon targets US critical infrastructure with living-off-the-land techniques"
  - Identified New Caledonia proxy infrastructure

- **FBI Private Industry Notification 240131-001** (January 31, 2024)
  - Details on water utility compromises
  - SCADA/OT system access methods

- **MITRE ATT&CK Group G1017**
  - Complete TTP mapping for Volt Typhoon

## 🎮 Controls

### Playback Controls
- **Play/Pause**: Start or pause the attack simulation
- **Speed Options**: 
  - 1x: Real-time (12 minutes for 72 hours)
  - 10x, 30x, 45x, 60x: Faster playback (default: 45x)
- **Restart**: Reset to beginning

### Camera Controls
- **Left Click + Drag**: Rotate view
- **Right Click + Drag**: Pan camera
- **Scroll**: Zoom in/out
- **R Key**: Reset camera position

## 🏗️ Architecture

### Technology Stack
```
Frontend:
├── Three.js         # 3D visualization
├── GSAP            # Timeline animations
├── Vite            # Build system
└── ES6 Modules     # Modern JavaScript

Data:
├── Attack Events   # JSON timeline data
├── Network Topology # Node positioning
└── MITRE Techniques # ATT&CK framework
```

### Network Zones
1. **Proxy Chain** (Far Left) - Compromised routers
2. **IT Network** (Center) - Corporate systems
3. **OT/SCADA** (Right) - Critical infrastructure

## 🚀 Installation & Setup

### Prerequisites

Before running this visualization, you'll need:

1. **Node.js** (v16 or higher)
   - Download from: https://nodejs.org/
   - Verify installation: `node --version`

2. **npm** (comes with Node.js)
   - Verify installation: `npm --version`

3. **Git** (to clone the repository)
   - Download from: https://git-scm.com/
   - Verify installation: `git --version`

### Step-by-Step Installation

```bash
# 1. Clone the repository
git clone https://github.com/ahays248/VT_Viz.git
cd VT_Viz

# 2. Install dependencies
npm install

# 3. Generate attack data (optional - data is pre-generated)
npm run generate-data

# 4. Start the development server
npm run dev
```

The visualization will open automatically at `http://localhost:3000/` (or port 3001 if 3000 is in use).

### Quick Start (Copy & Paste)

```bash
# One-line setup for experienced users
git clone https://github.com/ahays248/VT_Viz.git && cd VT_Viz && npm install && npm run dev
```

### Building for Production

```bash
# Create optimized production build
npm run build

# Preview production build locally
npm run preview
```

The production build will be in the `dist/` folder, ready for deployment to any static hosting service.

### Troubleshooting Installation

**Port already in use:**
- The dev server will automatically try port 3001 if 3000 is busy
- Or manually specify: `npm run dev -- --port 3002`

**npm install fails:**
```bash
# Clear npm cache and retry
npm cache clean --force
rm -rf node_modules package-lock.json
npm install
```

**Visualization doesn't load:**
- Check browser console for errors (F12)
- Ensure WebGL is enabled in your browser
- Try Chrome, Firefox, or Edge (latest versions)

### System Requirements

- **Minimum:** 4GB RAM, modern browser with WebGL support
- **Recommended:** 8GB RAM, dedicated graphics card
- **Browsers:** Chrome 90+, Firefox 88+, Edge 90+, Safari 14+

## 📁 Project Structure

```
VT_Viz/
├── src/
│   ├── volt-typhoon-timeline.js   # Main visualization logic
│   ├── scene.js                   # Three.js scene setup
│   ├── main.js                    # Application entry
│   └── controls.js                # User interactions
├── public/
│   └── data/
│       └── volt-typhoon-attack.json  # Attack event data
├── scripts/
│   └── generate-volt-typhoon-data.js # Data generation
└── docs/
    ├── CLAUDE.md                  # Architecture documentation
    ├── LESSONS-LEARNED-THREEJS.md # Development insights
    └── VOLT-TYPHOON-SOURCES.md   # Intelligence sources
```

## 📊 Attack Timeline

### Stage 1: Initial Access (0-6 hours)
- **CVE-2024-39717**: Versa Director authentication bypass
- **Ports**: 4566, 4570, 443
- **Tool**: VersaMem web shell

### Stage 2: Discovery (6-24 hours)
- **T1059.001**: PowerShell enumeration
- **Tools**: powershell.exe, wmic.exe, ntdsutil.exe
- **Technique**: Living Off the Land (no malware)

### Stage 3: Lateral Movement (24-48 hours)
- **T1021.001**: RDP chain through jump boxes
- **T1047**: WMI for remote execution
- **Target**: Domain Controller

### Stage 4: Domain Compromise (48-60 hours)
- **T1003.003**: NTDS.dit extraction
- **Method**: Volume Shadow Copy
- **Impact**: Full AD compromise, OT access

### Stage 5: Exfiltration (60-72 hours)
- **T1090.003**: Multi-hop proxy chains
- **Route**: Target → Guam → Pacific → New Caledonia → China
- **T1070.001**: Windows Event Log clearing

## ⚠️ Critical Impact

### Data Compromised
- Active Directory credentials
- SCADA configurations
- Water treatment parameters
- Power grid topology
- Industrial control logic

### Potential Consequences
- **Water Systems**: Chemical balance manipulation
- **Power Grid**: Substation disruption
- **Industrial**: Equipment destruction
- **Communications**: Network outages

## 🛡️ Defense Recommendations

1. **Patch Management**: Apply Versa Director updates immediately (CVE-2024-39717)
2. **Network Segmentation**: Isolate OT from IT networks
3. **MFA**: Require for all administrative access
4. **Monitoring**: Watch for LOTL techniques (PowerShell, WMI, RDP)
5. **Logging**: Centralize and protect event logs (attackers clear logs)
6. **Port Security**: Block port 4566 from internet access
7. **Webshell Detection**: Check /var/versa/vnms/web/custom_logo/ for VersaMem shells

## 📚 Educational Purpose

This visualization is designed for:
- Cybersecurity training and awareness
- Understanding APT tactics and techniques
- Incident response preparation
- Critical infrastructure defense education
- Demonstrating real-world attack chains

### Key Learning Features
- **Interactive Info Boxes**: Detailed explanations appear during critical attack moments
- **MITRE ATT&CK Mapping**: Each technique is labeled with official IDs
- **Mitigation Guidance**: CISA-recommended defensive actions
- **Visual Attack Flow**: See how attacks progress through networks
- **Impact Visualization**: Understand consequences of each compromise

**Note**: All data shown is from public sources. No classified or sensitive operational information is included.

## 🔗 Resources

- [CISA Volt Typhoon Advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a)
- [Microsoft Threat Intelligence](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/)
- [MITRE ATT&CK - Volt Typhoon](https://attack.mitre.org/groups/G1017/)
- [Full Intelligence Sources](./docs/VOLT-TYPHOON-SOURCES.md)

## ⚖️ License

MIT License - Educational Use

## 🙏 Acknowledgments

- CISA for public threat intelligence
- Microsoft Security for detailed analysis
- FBI for infrastructure impact data
- The cybersecurity community for collaborative defense

---

## 🆘 Getting Help

If you encounter issues:

1. Check the [Troubleshooting](#troubleshooting-installation) section above
2. Review [docs/CLAUDE.md](./docs/CLAUDE.md) for technical details
3. Open an issue on GitHub: https://github.com/ahays248/VT_Viz/issues

---

**Disclaimer**: This is an educational visualization based on public intelligence reports. It is intended to help defenders understand and protect against these threats.

文件快照

 [4.0K]  /data/pocs/3bd21c3e7b021935e7039d97c9db148fde90e9bd
├── [4.8K]  CLAUDE.md
├── [4.0K]  docs
│   ├── [5.2K]  ATTACK-STORY.md
│   ├── [ 12K]  CLAUDE-DATA.md
│   ├── [ 10K]  CLAUDE.md
│   ├── [8.8K]  CLAUDE-PARTICLES.md
│   ├── [9.8K]  CLAUDE-PHYSICS.md
│   ├── [5.5K]  CLAUDE-SCENE.md
│   ├── [ 18K]  LESSONS-LEARNED-THREEJS.md
│   ├── [3.9K]  QUICKSTART.md
│   ├── [8.5K]  SETUP.md
│   ├── [4.9K]  VOLT-TYPHOON-ATTACK.md
│   └── [7.3K]  VOLT-TYPHOON-SOURCES.md
├── [7.3K]  index.html
├── [1.0K]  LICENSE
├── [ 635]  package.json
├── [ 48K]  package-lock.json
├── [4.0K]  public
│   └── [4.0K]  data
│       └── [ 174]  sample.json
├── [8.7K]  README.md
├── [4.0K]  scripts
│   ├── [ 11K]  generate-attack-data.js
│   └── [ 19K]  generate-volt-typhoon-data.js
├── [4.0K]  src
│   ├── [5.9K]  controls.js
│   ├── [5.4K]  data-loader.js
│   ├── [5.0K]  main.js
│   ├── [7.0K]  particles.js
│   ├── [4.7K]  physics.js
│   ├── [3.7K]  scene.js
│   ├── [ 260]  style.css
│   ├── [ 21K]  timeline.js
│   └── [ 78K]  volt-typhoon-timeline.js
└── [ 645]  vite.config.js

5 directories, 30 files

备注