The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have issued an alert to all Federal agencies confirming that the People’s Republic of China (PRC) state-sponsored hacking actor Volt Typhoon has compromised multiple critical infrastructure providers in the United States and U.S. territories such as Guam.
Other Chinese hacking groups also appear to be part of the campaign, which is thought to be part of preparations for military attacks by the PRC in the Asia-Pacific region. In the event of such a conflict, the groups would be able to unleash devastating destructive cyberattacks in the U.S. and its territories. The most likely scenario would be in the event of the invasion of Taiwan. The PRC would be able to unleash devastating attacks simultaneously hitting multiple critical infrastructure entities, including destructive attacks on operational technology systems that run physical processes at the heart of critical infrastructure. The aim would be to crush the will of the U.S. to defend Taiwan in the event of a major conflict, and in Guam and other U.S. overseas territories, the attacks could slow the deployment of forces. Similar tactics have been used by Russia in Ukraine to attack water, energy, and other criminal infrastructure sectors.
According to the alert, the threat actor has compromised targets primarily in the energy, communications, water and wastewater, and transportation sectors and has used living-off-the-land techniques to hide its malicious activities. The hackers have compromised legitimate accounts and used other tools to achieve long-term undetected persistence, including embedding themselves in small office/home office routers and other networking equipment. The hackers have exploited vulnerabilities in the networking gear of companies such as Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco using publicly available exploit code; however, the hackers have also demonstrated they are adept at finding and exploiting zero-day vulnerabilities.
The activity is not consistent with the Volt Typhoon’s previous attacks, which have been focused on espionage and the theft of intellectual property. The access maintained by the hackers could be used to cause a variety of disruptions, such as affecting critical energy and water controls and disrupting HVAC systems in server rooms. In some of the instructions, the hackers also gained access to camera surveillance systems. The goal appears to gain access to operational technology systems and, in some cases, the hackers have had access to systems for up to 5 years. If the access is turned into coordinated, destructive attacks, they would likely spill over into Canada due to cross border integration and it is likely that critical infrastructure in Australia and New Zealand is also under threat.
According to the alert, “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.” The Federal agencies have advised all critical infrastructure entities to apply the mitigations in the alert and look for similar malicious activity using the suggestions outlined in the guidance for identifying and mitigating living-off-the-land tactics. If malicious activity is detected it should be reported to the relevant agency and the recommended incident response actions applied.
“The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” said CISA Director Jen Easterly. “Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders. We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”