Urgent Warning Issued to Key Infrastructure Leaders: Heed potential threats from China-linked entities seriously

Urgent Warning Issued to Key Infrastructure Leaders: Heed potential threats from China-linked entities seriously

With a recent warning coinciding with an urgent request for U.S. governors to bolster water security, the spotlight is on a cyber threat group known as Volt Typhoon. This threat group, linked to China, has already embedded itself into numerous transportation, energy, communications, and water and wastewater systems, according to a warning issued in February.

The threat group and other state-linked actors are gaining persistent access to critical infrastructure, posing a critical business risk for every organization and allied countries. The guidance released on Tuesday follows a February warning from the Five Eyes about Volt Typhoon.

Volt Typhoon does not rely on malware to maintain access to networks and conduct their activity. Instead, they use built-in functions of a system, a technique known as living off the land. This method enables them to evade detection and maintain stealthy, long-term espionage.

To protect themselves against Volt Typhoon, critical infrastructure organizations should prioritize defending against living off the land (LOTL) techniques. Recommended strategies include:

1. Strengthening edge network device security to prevent exploitation, as Volt Typhoon targets these devices to remain hidden for months or years.
2. Enhancing detection and monitoring for native system tools and legitimate administrative utilities often abused in LOTL attacks, enabling quicker identification of malicious activity disguised as normal operations.
3. Implementing robust multi-factor authentication (MFA) protections and defending against credential theft, as similar Chinese APT groups like Salt Typhoon use phishing and credential theft to gain access.
4. Maintaining current patching and vulnerability management, especially on internet-facing systems and critical communication infrastructure, since vulnerabilities in these can provide entry points.
5. Boosting network segmentation and limiting lateral movement to prevent attackers from escalating privileges and spreading within critical infrastructure networks.
6. Fostering collaboration and information sharing with government agencies such as DHS, NSA, and FBI, who actively monitor and respond to these threats and provide timely threat intelligence and mitigation guidance.

These strategies address Volt Typhoon’s tactics of using legitimate system tools and stealth to achieve sustained access. Recent reports indicate that although Volt Typhoon was ultimately unsuccessful in maintaining long-term persistence, their approach illustrates the importance of resilient defensive postures.

The White House and Environmental Protection Agency have called for governors to send health, environmental, and homeland security officials to a virtual meeting. Organizations are also advised to establish strong vendor risk management processes and exercise due diligence in selecting vendors by following secure-by-design principles. Continuous training and regular tabletop exercises are strongly encouraged for organizations.

Detecting and mitigating living off the land techniques requires consistent logging for access and security, and logs should be stored in a central system. The Five Eyes have urged critical infrastructure organizations to follow CISA's cybersecurity performance goals and guidance from their respective sector-risk management agencies.

In sum, holistic defenses combining proactive network security hygiene, monitoring for suspicious use of native tools, MFA enforcement, and coordination with federal cybersecurity entities are critical to counter the specific challenges posed by Volt Typhoon’s LOTL techniques targeting U.S. critical infrastructure.

1. Recognizing the persistent access of cyber threat groups like Volt Typhoon to critical infrastructure presents a significant business risk for organizations and allied countries.
2. To counter Volt Typhoon's living off the land techniques, it is crucial for critical infrastructure organizations to prioritize network security hygiene, implementation of multi-factor authentication, and regular training.
3. In addition to these measures, strong vendor risk management processes, regular tabletop exercises, and continuous logging for access and security are essential in detecting and mitigating cyber risks such as those posed by Volt Typhoon.

Read also: