The US Cybersecurity and Infrastructure Security Agency (CISA) has released a report detailing how the Chinese-backed Volt Typhoon advanced persistent threat (APT) is constantly targeting highly sensitive critical infrastructurewith new insights into cyber attackers’ pivot to operational technology (OT) networks once they’ve gotten inside.
Given that the OT network is responsible for the physical functions of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) equipment, the results clearly support the thesis continuous suspicion that Chinese hackers are trying to disrupt critical physical operations in the energy sector, water servicescommunications and transportation, presumably to cause panic and discord in the event of a kinetic conflagration between the United States and China.
“Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” according to CISA Volt Typhoon Alert. [We] “are concerned about the potential for these actors to use their network access for disruptive effect in the event of potential geopolitical tensions and/or military conflicts.”
This is an important series of revelations, according to John Hultquist, chief analyst at Mandiant Intelligence/Google Cloud.
“Previously, we could infer from targeting that the actor had a strong interest in critical infrastructure “It had little intelligence value,” he said in an emailed analysis. But the CISA report shows that “Volt Typhoon is gathering information and even penetrating OT systems, the highly sensitive systems that manage the physical processes at the heart of critical infrastructure,” she added. “Under the right conditions, OT systems could be manipulated cause major disruptions to essential services or even create dangerous conditions.”
Hultquist added: “If there was any skepticism about why this actor is carrying out these intrusions, this revelation should put it to rest.”
Live off the land and hide for 5 years
CISA also revealed today that Volt Typhoon (aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite and Insidious Taurus) has been secretly hiding in US infrastructure for half a decade, even though they were the first publicly published by Microsoft just last year.
“Unlike ransomware operators whose goal is to get in and cause damage quickly, this nation-state operator is exploiting valid accounts and ‘living off the land’ [LOTL] techniques to evade detection for long periods of time,” said Ken Westin, field CISO at Panther Lab, in an email comment. “These methods allow the group to monitor its targets and provide a foothold to cause kinetic damage.”
Additionally, the APT “also relies on good accounts and leverage[s] strong operational security, which… allows for long-term unknown persistence,” CISA explained. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; adapt your tactics, techniques and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after the initial trade-off.”
While Volt Typhoon’s strategy is to remain hidden using legitimate services and blending in with normal traffic is not a new phenomenon in cybercrimesecond CISA, which has published extensive LOTL guidelines today for doing just that.
Meanwhile, an infrastructure upgrade, while in some cases it may require a costly and labor-intensive forklift replacement, may not go awry.
“Many of the targeted OT environments are known for running outdated software, whether through negligence or necessity, if systems cannot be updated, which increases the risk posed by this threat,” Westin said.
Worryingly, CISA also noted that the danger extends beyond the United States. Last month, SecurityScorecard’s STRIKE team identified new infrastructure linked to Volt Typhoon that indicated the APT was also targeting Australian and UK government assets. The CISA report expands this risk to also include Canada and New Zealand: all of these US partners’ infrastructure is also susceptible to nation-state actors, it warns.
CISA’s advice comes on the heels of a government action to disrupt the group’s small office/home office (SOHO) router botnet, as in the past eliminate those who monitor their activity.