The U.S. government has issued a warning about a significant threat posed by a Chinese nation-state group to critical infrastructures, revealing that attackers might have been lurking in victims’ IT environments for several years.
During a hearing before the House Select Committee on Strategic Competition Between the United States and the Chinese Community Party, CISA Director Jen Easterly and FBI Director Christopher Wray warned about the potential threat of Chinese nation-state actors that have positioned themselves in critical infrastructure organizations for future attacks. The sectors at risk include energy, water, and telecommunications.
In a joint cybersecurity advisory, CISA, the FBI, and the National Security Agency confirmed that a Chinese threat group known as Volt Typhoon had compromised organizations in the communications, energy, transportation systems, and water and wastewater sectors. This revelation comes after the Department of Justice disrupted a botnet campaign by the same threat group that infected U.S.-based SOHO routers.
The agencies expressed concern about the prepositioning of Volt Typhoon actors in IT networks to enable lateral movement to OT assets and disrupt functions. They also observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.
The warnings and threat intelligence outlined in the advisory are based on incident response investigations that involved Volt Typhoon. The agencies discovered that Volt Typhoon activity did not align with cyber espionage purposes and determined that there is a bigger play at hand that could put operational technology (OT) systems of critical infrastructure organizations at risk.
Volt Typhoon is considered dangerous due to its extensive reconnaissance capabilities, discoveries, and usage of zero-day vulnerabilities and evasion techniques. U.S. agencies even observed the actors targeting the personal emails of key network and IT staff in targeted organizations. To gain initial access to a victim’s environment, Volt Typhoon is known to leverage both zero-day and known vulnerabilities in networking appliances.
The advisory urged organizations to secure internet-facing devices, which Volt Typhoon has targeted in the past. The group has gained access to IT networks by exploiting known or zero-day vulnerabilities in routers, VPNs, and firewalls.
In some confirmed instances, Volt Typhoon actors likely obtained initial access by exploiting specific vulnerabilities in network perimeter devices that were not patched. The group is known to exploit vulnerabilities in network devices from Fortinet, Ivanti Connect Secure, Netgear, Citrix, and Cisco as primary initial access targets.
Volt Typhoon attacks have been publicly reported in the past, although it was previously not known that the group had contingency plans to launch disruptive attacks. The advisory warned that access by Volt Typhoon could lead to the compromise of heating, ventilation, and air condition systems in server rooms or disrupt critical energy and water controls. The group has also gained access to camera and surveillance systems within critical infrastructure facilities.
The agencies urged critical infrastructure to take immediate action to mitigate Volt Typhoon activity. Recommendations included patching internet-exposed systems and prioritizing vulnerabilities that Volt Typhoon frequently exploits, implementing phishing-resistant multifactor authentication, and reviewing account permissions on edge appliances and network devices to remove any domain administrator privileges.
The U.S. government continues to monitor the threat posed by Volt Typhoon and has issued this warning to ensure that critical infrastructure organizations take the necessary measures to protect themselves against potential attacks. The collaboration between multiple government agencies underscores the gravity of the situation and the need for heightened vigilance in the face of evolving cyber threats.