The U.S. government has issued a strong and stern warning over the China-backed Volt Typhoon cybercrime group, which continues to burrow its way into the IT networks of communications, energy, transportation, water and wastewater organizations.
Joint guidance issued by the Cybersecurity & Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) last week recognizes the reality that the People’s Republic of China (PRC) has already compromised these systems.
The compromise has occurred through prolonged and persistent access to critical infrastructure targets for years now leveraging legitimate tools or “living off the land."
“The data and information CISA and its U.S. government partners have gathered strongly suggest the PRC is positioning itself to launch destructive cyberattacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States,” CISA stated on its website.
What is “Living off the Land”?
By using “living off the land” techniques, PRC cyber actors blend in with normal system and network activities, avoid identification by network defenses and limit the amount of activity that is captured in common logging configurations, according to CISA. Thus, detecting and mitigating this type of malicious cyber activity requires a multi-faceted and comprehensive approach to discern legitimate from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting.
CISA Director Jen Easterly said that The PRC cyber threat is not theoretical, as CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And that’s likely “the tip of the iceberg.”
“Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders,” Easterly said on February 7. “We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”
How Volt Typhoon Gains Access, Stays Undetected
According to a Microsoft blog post, Volt Typhoon achieves initial access to targeted organizations through internet-facing Fortinet FortiGuard devices. The threat actor attempts to leverage any privileges afforded by the Fortinet device, extracts credentials to an Active Directory account used by the device, and then attempts to authenticate to other devices on the network with those credentials.
Volt Typhoon proxies all its network traffic to its targets through compromised SOHO network edge devices (including routers). Microsoft said it has confirmed that many of the devices, which include those manufactured by ASUS, Cisco, D-Link, NETGEAR, and Zyxel, allow the owner to expose HTTP or SSH management interfaces to the internet. Microsoft advised owners of network edge devices to ensure that management interfaces are not exposed to the public internet in order to reduce their attack surface. By proxying through these devices, Volt Typhoon enhances the stealth of their operations and lowers overhead costs for acquiring infrastructure.
MSSPs, Cybersecurity Experts, Weigh In
“Their presence is a warning call, highlighting the need for proactive cybersecurity measures, continuous monitoring and sharing of information among various stakeholders,” Brescic said. “I believe the Volt Typhoon poses a significant risk to critical infrastructure networks, underscoring the need for robust cybersecurity measures across industries and government partners.”
Mickey Bresman, CEO of Semperis, a 100% channel Active Directory (AD) cybersecurity specialist, advises organizations to adopt an “assume breach mindset” and take steps for increasing the resiliency of critical systems.
“Overall, the fact that bad actors went five years without getting caught reinforces the assumption that we should operate in the assume breach mindset,” Bresman said. “From Semperis’ incident response experiences with global governments and public and private sector organizations, Chinese and Russian state-sponsored actors are steely eyed and determined to compromise any network, at any time. And they will take whatever they desire like school yard bullies.”
He advised all organizations to assess their critical systems, particularly Active Directory, “because nine out of 10 cyberattacks target it.”
“By operating in the assume breach mindset, if you find one compromised environment or one malicious malware, such as password interception, assume that there are others that you have not discovered,” he said.
“Most concerning is the attack on critical infrastructure — cyber warfare focusing on critical services such as utilities and water indicate a different end game, said Berglas, a former FBI Cyber Division Special Agent. “No longer is the focus on advantage, but on damage and strongholds.”
FBI Blocks Volt Typhoon
MSSP Alert reported on February 6 FBI Director Christopher Wray at a recent U.S. House of Representatives committee hearing testified that the FBI had shut down Volt Typhoon activity.
The U.S. action taken on Volt Typhoon is one of several offensive maneuvers that the FBI and the Department of Justice have undertaken to push back on cybercrime groups, particularly those that have constructed botnets to widen their reach and impact. For example, in September 2023 the FBI and international partners dismantled the notorious Qakbot botnet network and malware.
Volt’s past targets have included sites in Guam, where the U.S. has a major military presence.