The China-backed Volt Typhoon advanced persistent threat (APT) has been identified by the US Cybersecurity and Infrastructure Security Agency (CISA) as consistently targeting highly sensitive critical infrastructure, with a new pivot towards attacking operational technology (OT) networks.
This revelation paints a worrying picture of Chinese hackers deliberately preparing themselves to disrupt vital physical operations in areas such as energy, water utilities, communications, and transportation. The purpose of these potential disruptions is presumed to be to create panic and discord, particularly amidst geopolitical tensions and potential military conflicts.
According to CISA’s Volt Typhoon advisory, the attackers are establishing themselves within IT networks to gain access to OT assets and disrupt their functions. This concern is intensified by the potential for these actors to use their network access for disruptive effects in the case of political or military tension.
John Hultquist, chief analyst at Mandiant Intelligence/Google Cloud, highlighted the significance of these findings, emphasizing that the Volt Typhoon is not only targeting critical infrastructure but is also gathering information on and penetrating OT systems, which are crucial to the operations of vital infrastructure. Under the right conditions, these systems could be manipulated to cause major shutdowns of essential services or create dangerous conditions.
Moreover, CISA found evidence that the Volt Typhoon has been hidden within US infrastructure for five years. This has been achieved by leveraging valid accounts and employing ‘living off the land’ (LOTL) techniques, allowing the threat actors to remain undetected for long periods. Additionally, this APT group has shown strong operational security, further complicating detection efforts.
While this tactic of remaining hidden within normal traffic isn’t new in cybercrime, it poses a significant challenge for potential targets to actively scan for malicious activity. In response to this, CISA has issued guidance for organizations to proactively scan and respond to potential threats.
The Volt Typhoon’s capability to remain hidden and evade detection, coupled with the fact that many of the targeted OT environments run outdated software, is a cause for concern. The risk posed by this threat is further compounded as CISA warned that other countries, including the United Kingdom, Australia, Canada, and New Zealand, are also susceptible to the actions of this APT group.
As the US government recently moved to disrupt the Volt Typhoon’s small office/home office (SOHO) router botnet, which the group was using to evade tracking, it is clear that cybersecurity agencies are actively working to mitigate the threat posed by this highly sophisticated APT. The Volt Typhoon’s latest pivots towards OT networks underscore the urgency of continued vigilance and preparedness in defending critical infrastructure against advanced cyber threats.