The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a report detailing how the China-backed Volt Typhoon advanced persistent threat (APT) is consistently targeting highly sensitive critical infrastructure, with new information on the cyberattackers’ pivot to operational technology (OT) networks once they’ve burrowed inside.
Given that the OT network is responsible for the physical functions of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) equipment, the findings clearly corroborate the ongoing suspicion that Chinese hackers are looking to be able to disrupt critical physical operations in energy, water utilities, communications, and transportation, presumably to cause panic and discord in the event of a kinetic conflagration between the US and China.
“Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” according to CISA’s Volt Typhoon advisory. [We] “are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”
It’s an important set of revelations, according to John Hultquist, chief analyst at Mandiant Intelligence/Google Cloud.
“Previously, we could deduce from targeting that the actor had a strong interest in critical infrastructure that had little intelligence value,” he said in an emailed analysis. But the CISA report shows that “Volt Typhoon is gathering information on, and even penetrating, OT systems — the highly sensitive systems that run the physical processes at the heart of critical infrastructure,” he added. “Under the right conditions, OT systems could be manipulated to cause major shutdowns of essential services, or even to create dangerous conditions.”
Hultquist added, “If there was any skepticism as to why this actor is carrying out these intrusions, this revelation should put it to rest.”
Living Off the Land & Hiding for 5 Years
CISA also revealed today that Volt Typhoon (aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) has secretly hidden in US infrastructure for half a decade — even though they were first publicly outed by Microsoft only last year.
“Unlike ransomware operators whose goal is to get in and cause damage quickly, this nation-state operator is leveraging valid accounts and ‘living off the land’ [LOTL] techniques to evade detection for long periods of time,” Ken Westin, field CISO at Panther Lab, said in an emailed comment. “These methods allow the group to monitor their targets and provide a foothold to cause kinetic damage.”
To boot, the APT “also relies on valid accounts and leverage[s] strong operational security, which … allows for long-term undiscovered persistence,” CISA explained. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”
While Volt Typhoon’s strategy of staying hidden by using legitimate utilities and blending in with normal traffic isn’t a new phenomenon in cybercrime, it does make it difficult for potential targets to actively scan for malicious activity, according to CISA, which issued extensive LOTL guidance today for doing just that.
Meanwhile, an infrastructure update, while it could in some cases require a costly and labor-intensive forklift replacement, might not go awry either.
“Many of the OT environments being targeted are notorious for running outdated software, either out of negligence or necessity, if the systems cannot be updated, which increases the risk posed by this threat,” Westin said.
Worryingly, CISA also noted that the danger extends beyond the US. Last month, SecurityScorecard’s STRIKE team identified new infrastructure linked to Volt Typhoon that indicated the APT was also targeting Australian and UK government assets. The CISA report broadens that risk to also include Canada and New Zealand — all of these US partners’ infrastructure is also susceptible to nation-state actors, it warned.