Priya PatelTLDR:
Chinese state-sponsored threat actor, Volt Typhoon, has been discovered compromising US critical infrastructure systems for five years. The CISA has issued a security advisory warning critical infrastructure organizations about this threat. Volt Typhoon has targeted multiple IT environments across industries such as Communications, Energy, Transportation Systems, and Water and Wastewater Systems. The threat actor uses living off-the-land techniques and valid accounts to maintain persistent access. They perform extensive reconnaissance to understand the targeted organization and tailor their tactics accordingly. The threat actor gains initial access through known or zero-day vulnerabilities and achieves full domain compromise to access operational technology assets.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning critical infrastructure organizations of ongoing cyberattacks by a Chinese state-sponsored threat actor known as Volt Typhoon. According to the advisory, Volt Typhoon has been compromising US critical infrastructure systems for at least five years, with multiple IT environments across different sectors affected.
The threat actor, believed to be linked to the People’s Republic of China, is known for their use of living off-the-land techniques and operational security measures to maintain persistent access. The CISA has observed that the threat actor performs extensive reconnaissance before targeting an organization, gaining an understanding of network topologies, security measures, typical user behaviors, and key network and IT staff.
Once the threat actor has gained initial access, they exploit known or zero-day vulnerabilities in public-facing network appliances, such as routers, VPNs, and firewalls, in order to connect to the victim’s network. They also obtain administrator credentials that are insecurely stored on public-facing network appliances. In some cases, the threat actor achieves full domain compromise by extracting the Active Directory database using elevated credentials, allowing them to infiltrate strategic networks and gain access to operational technology (OT) assets.
The CISA’s advisory includes detailed information on the threat actor’s activities, tactics, techniques, and procedures (TTPs), as well as recommendations for mitigating the threat. Organizations are advised to regularly patch and update their systems, ensure proper network segmentation, implement multi-factor authentication, and monitor for signs of compromise.
This discovery highlights the persistent and sophisticated nature of state-sponsored cyber threats, particularly those originating from China. The US government and critical infrastructure organizations must remain vigilant and take proactive measures to defend against such threats. Strong cybersecurity measures, including regular updates and patches, employee training, and robust incident response plans, are essential in protecting critical infrastructure systems from cyberattacks.
