US and allied federal government cyber authorities are warning that the Chinese state-sponsored cyber threat actor, known as Volt Typhoon, has infiltrated the networks of critical infrastructure over the past five years.
Targeted networks include communications, energy, transportation, and water and wastewater systems in the US and its territories such as Guam. The cyber authorities assess with high confidence that Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, but rather to pre-position itself on critical networks and subsequently move laterally to operational technology (OT) assets to disrupt processes.
Volt Typhoon is known to use living-off-the-land tactics, which is to use the services and features native to the compromised operating system to escalate privileges, move laterally, and deploy malware. This allows the group to operate discreetly, blending its malicious activity in with legitimate system and network behavior.
Volt Typhoon has also been observed using stolen account credentials and selectively deleting log files. These techniques make Volt Typhoon activity more difficult to detect and investigate—even by organizations with advanced security postures.
Another calling card of Volt Typhoon is its use of multi-hop proxies, like the recently dismantled KV-botnet, that route its malicious traffic through a network of compromised routers and firewalls in the US to mask its true origin.
This new warning comes shortly after the FBI and its partners announced that they had dismantled the KV-botnet, a botnet consisting of thousands of compromised small office/home office (SOHO) network equipment, including routers, firewalls, and VPN hardware, used by Volt Typhoon to facilitate malicious cyber activities and obscure its origin.
The FBI believes that denying Volt Typhoon the use of its botnet will have a significant impact on the group’s ability to hide pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors.
It has been suggested that Volt Typhoon has been tasked by the Chinese government to identify and prepare to destroy or degrade critical infrastructure in the US and other countries that pose a threat to its ambitions and security. However, it is unlikely that Volt Typhoon would inflict any type of kinetic damage on targeted systems unless China was on the precipice of, or involved in, open warfare with the US and its allies.
Although this type of kinetic cyber activity sounds ominous, it’s not unusual. For example, in 2010, a powerful computer worm developed by the US and Israel known as Stuxnet was used to target assets on an Iranian air-gapped network that ultimately forced uranium enrichment centrifuges to spin out of control, causing massive damage to Iran’s nuclear program. Furthermore, in 2015, cyber actors belonging to Russia’s Main Intelligence Directorate, or GRU, launched a simultaneous wiper attack on three Ukrainian energy companies that resulted in nearly 200,000 homes being without power for several hours.
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for threats from advanced cyber actors such as Volt Typhoon. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the risk these types of groups pose. Covalence users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalenceportal.
Field Effect echoes the following mitigation recommendations provided by the Cybersecurity and Infrastructure Security Agency (CISA):
Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
Implement phishing-resistant MFA.
Ensure logging is turned on for application, access, and security logs and store logs in a central system.