China-linked dangers are urged to be taken seriously by executives managing critical infrastructure, according to Five Eyes.

China-linked dangers are urged to be taken seriously by executives managing critical infrastructure, according to Five Eyes.

Volt Typhoon, a Chinese state-sponsored threat actor affiliated with the People's Liberation Army (PLA), has been targeting critical infrastructure in the United States and territories such as Guam, Hawaii, and Texas since at least 2018. This threat group, known for using "living off the land" (LotL) techniques, has been a cause for concern for U.S. agencies, including the NSA and FBI.

Volt Typhoon employs legitimate system tools and software already present in the environment to conduct its malicious activities. This approach helps the group evade detection since no unusual malware binaries or tools need to be installed. Despite this, the group failed to maintain persistent access and was eventually removed from the targeted networks. However, the threat remains significant as the group has conducted extensive reconnaissance, credential theft, and stealthy network access in strategic locations.

To protect against Volt Typhoon’s living off the land techniques, critical infrastructure organizations are advised to:

1. Monitor and analyze legitimate system tool usage closely: Defenders should implement advanced behavioral analytics to detect abnormal or unauthorized use of these tools.
2. Implement strong credential hygiene and multi-factor authentication (MFA): The actors steal credentials to impersonate legitimate users and maintain access. Limiting credential compromise and using MFA reduces this risk.
3. Network segmentation and strict access control: Restrict lateral movement within networks by segmenting critical infrastructure assets and applying the principle of least privilege.
4. Continuous threat hunting and anomaly detection: Employ proactive threat hunting to identify stealthy intrusions and anomalies that may indicate living off the land attacks.
5. Audit logs for suspicious activity: Enable detailed logging of system tool executions and access, and regularly audit these logs.
6. Keep systems patched and updated: Prevent exploitation of vulnerabilities that might facilitate initial access or lateral movement.
7. Use endpoint detection and response (EDR) solutions focused on behavioral patterns: EDR tools can detect suspicious sequences of legitimate commands and system tool invocations rather than relying solely on malware signatures.
8. Establish partnerships and share threat intelligence: Collaborate with government agencies and industry groups to remain informed about the latest tactics used by Volt Typhoon and related groups.
9. Continuous training and regular tabletop exercises are strongly encouraged.

The warning issued by the Five Eyes urges critical infrastructure organizations to follow CISA's cybersecurity performance goals and guidance from their respective sector-risk management agencies. The cyberattacks could be disruptive or destructive in the event of increased geopolitical tension or military conflict with the U.S. and its allies.

This best practice can help organizations reveal specific commands used by Volt Typhoon actors, as detailed in last month's cybersecurity advisory. The guidance released on Tuesday follows a February warning from the Five Eyes that detailed how Volt Typhoon has already embedded itself into numerous transportation, energy, communications, and water and wastewater systems.

In summary, Volt Typhoon leverages stealthy, legitimate system capabilities to infiltrate U.S. critical infrastructure in preparation for potential conflict escalation, particularly concerning Taiwan. Defenders must employ sophisticated monitoring and strong cyber hygiene focused on detecting and preventing misuse of native tools and credentials to mitigate this advanced persistent threat.

1. The use of legitimate system tools and software by Volt Typhoon poses a considerable cyber risk to critical infrastructure, necessitating close monitoring and analysis of such tool usage by defenders.
2. Given the tactics employed by Volt Typhoon, such as credential theft and stealthy network access, it is crucial for organizations to implement strong credential hygiene and multi-factor authentication (MFA) to limit credential compromise.
3. Network segmentation and strict access control are essential in restricting lateral movement within networks, preventing Volt Typhoon from infiltrating critical infrastructure assets.
4. Regular threat hunting and anomaly detection can help identify stealthy intrusions and living off the land attacks, offering an extra layer of protection against Volt Typhoon's advanced tactics.

Read also: