In a new revelation, China-backed hacking group Volt Typhoon has maintained persistent access to major U.S. critical infrastructure for at least five years, as detailed in a joint advisory from CISA, the NSA, and the FBI.
The Persistent Threat
nGuard detailed Volt Typhoon’s cyberespionage activities in June 2023, revealing a targeted campaign against military and government organizations in the United States. The group’s advanced persistent threat (APT) tactics focused on stealth, utilizing “living off the land” techniques and exploiting vulnerabilities in cybersecurity suites.
Positioning for Disruption
Recent reports highlight Volt Typhoon’s shift towards physical disruption to U.S. critical infrastructure. The group is gaining access to operational technology (OT) networks, responsible for the physical functions of industrial control systems and supervisory control and data acquisition equipment. The aim is to disrupt critical operations in energy, water, communications, and transportation, potentially causing panic during geopolitical tensions or military conflicts.
Years in the Shadows
Volt Typhoon has maintained access to some U.S. critical infrastructure for a staggering five years. Using stolen administrator credentials and sophisticated operational security, the group has infiltrated networks across water, transportation, energy, and communications systems. Their techniques have allowed them to remain hidden, avoid detection, and even control surveillance camera systems.
U.S. & Global Concerns
The threat extends outside the U.S., with indications of Volt Typhoon targeting government assets in Australia, UK, Canada, and New Zealand. The joint efforts of international agencies show the global threat posed by Volt Typhoon. The U.S. and its allies are on high alert, considering the potential for destructive cyberattacks.
Defending Against Volt Typhoon
Mitigation advice from CISA emphasizes the need to detect Volt Typhoon’s techniques, procedures, and living off the land tactics. CISA recommends the following mitigations, at a minimum:
- Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be exploited by Volt Typhoon. Vulnerability scanning effectively identifies required patches and updates within your network.
- Implement phishing-resistant MFA.
- Ensure logging is turned on for application, access, and security logs and store logs in a central system. The technology and investment in staffing is needed to establish an effective log management capability.
In addition, penetration testing, red team exercises, and social engineering can help your organization simulate real world attacks to stay ahead of the threat groups like Volt Typhoon present.
As cybersecurity risks rise, international cooperation and proactive defenses are crucial to safeguarding critical infrastructure in this complex digital landscape.
