Urgent Warning Issued to Critical Infrastructure Leaders: Heed Potential Menaces Tied to China-Linked Entities Seriously
Headline: Volt Typhoon: China's Persistent Cyber Threat to Critical Infrastructure
The Chinese state-sponsored cyber threat actor, Volt Typhoon, has been a cause for concern for critical infrastructure organizations worldwide. This group, affiliated with the People's Liberation Army (PLA) cyber espionage apparatus, has been targeting critical infrastructure and military installations primarily in the United States and allied regions, including Guam, Hawaii, and Texas.
Volt Typhoon is part of a broader "Typhoon" group of Chinese hacking organizations, each tasked with infiltrating key sectors like critical infrastructure, communications, government, military, and defense organizations. Their primary activity involves gaining covert, long-term access to critical networks inside the US to prepare for a potential conflict escalation, especially concerning tensions over Taiwan.
However, recent disclosures by the NSA and FBI have revealed that Volt Typhoon failed to maintain persistence on critical US infrastructure networks. Despite their attempts to quietly lurk within networks for years, their campaign was ultimately unsuccessful, forcing China to reassess its approach.
Key points about Volt Typhoon from the available information:
- Origin: Chinese government-affiliated, linked to the PLA and Shanghai-based contractors such as iSoon.
- Targets: Critical US infrastructure, military installations, telecommunications, and governmental networks.
- Tactics: Exploiting unpatched routers, deploying custom malware (some shared with other Typhoon groups), gaining stealthy network access.
- Intent: To prepare cyberattack capabilities for potential future conflicts, particularly over Taiwan.
- Outcome: Detected by US agencies, removed before establishing long-term footholds; considered a failed campaign in terms of long-term access.
The Five Eyes have urged critical infrastructure organizations to follow CISA's cybersecurity performance goals and guidance from their respective sector-risk management agencies. They have also warned about the urgent risk posed by Volt Typhoon, following a February warning from the Five Eyes.
To protect against Volt Typhoon, critical infrastructure organizations need a comprehensive and multifaceted approach. This includes continuous training and regular tabletop exercises, establishing strong vendor risk management processes, and exercising due diligence in selecting vendors by following secure-by-design principles. Detecting and mitigating living off the land techniques requires consistent logging for access and security, with logs stored in a central system.
The White House and Environmental Protection Agency have called for U.S. governors to shore up water security, and a virtual meeting has been scheduled for governors' health, environmental, and homeland security officials on Thursday. The agencies strongly advise leaders to take actions to defend their systems against the China state-sponsored threat actor Volt Typhoon.
Volt Typhoon has already embedded itself into numerous transportation, energy, communications, and water and wastewater systems. Their footholds are part of Volt Typhoon's broader effort to preposition themselves for future disruptive or destructive cyberattacks.
Despite their recent setbacks, Volt Typhoon continues to pose a significant threat. Following best practices can help organizations reveal specific commands used by Volt Typhoon actors, as detailed in last month's cybersecurity advisory. It is crucial for organizations to stay vigilant and proactive in their cybersecurity measures to protect against this persistent threat.
- The failure of Volt Typhoon to maintain persistence on critical US infrastructure networks does not diminish the significant risk they pose, as highlighted by the Five Eyes and the White House.
- In light of the Volt Typhoon threat, it's imperative for critical infrastructure organizations to adhere to CISA's cybersecurity performance goals and implement a comprehensive approach that includes continuous training, robust vendor risk management, and secure-by-design principles.
- Volt Typhoon has already established footholds in numerous US systems, underscoring the urgency for governors to prioritize water security and cybersecurity measures to protect against this persistent threat.
- The cybersecurity threat posed by Volt Typhoon is not confined to the realm of technology, but also intersects with politics, war and conflicts, and general news, particularly concerning tensions over Taiwan.
