China-linked hackers have infiltrated critical American infrastructure, as confirmed by both CISA and the FBI.
In a recent development, the U.S. disclosed a court-ordered operation to disrupt a network of hundreds of privately-owned SOHO routers infected with KV Botnet malware, which is believed to be the work of a Chinese state-sponsored threat actor known as Volt Typhoon [1][2].
Volt Typhoon has embedded itself inside the systems of numerous transportation, energy, communications, and water and wastewater providers in the U.S. [1]. The group uses so-called living off the land techniques to hide malicious activity, often compromising commonly used small office/home office routers and other networking equipment for the last five years [3].
Researchers from Security Scorecard showed that Volt Typhoon compromised a subset of Cisco RV320/325 devices over a 37-day period from Dec. 1 to Jan. 7, using two old vulnerabilities, listed as CVE-2019-1653 and CVE-2019-1652 [4].
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have confirmed Volt Typhoon's activities, with the threat group aiming to covertly preposition themselves on information technology (IT) networks to gain lateral access to operational technology (OT) systems, enabling potential disruption in case of a conflict, especially relating to a potential escalation around Taiwan [1][2][3].
The extraordinary hearing last week before the House Select Committee on the Chinese Communist Party outlined the threat posed by Volt Typhoon and other China-affiliated actors in stark detail [6]. The attacks represent a significant shift in tactics for China-affiliated groups, which have traditionally focused on espionage and intellectual property theft from U.S. companies [7].
CISA is urging technology companies to make major changes in how they develop and configure software and other products to make them as secure as possible against potential compromise [8]. The agency is actively working on mitigation strategies targeting the tactics, techniques, and procedures (TTPs) of groups like Volt Typhoon, focusing on preventing lateral movement from IT to OT networks [1][3].
To strengthen cybersecurity defenses, CISA recommends prioritizing OT cybersecurity, increasing awareness of IT/OT convergence risks, leveraging collaborative intelligence sharing, investing in automation and AI security, and implementing rigorous credential and network monitoring [3].
In summary, although Volt Typhoon successfully breached several U.S. critical infrastructure networks, efforts by U.S. cybersecurity agencies have so far prevented them from achieving enduring control or disruption. However, their activities underscore the critical need for enhanced cybersecurity posture combining IT and OT defenses, rigorous credential monitoring, and federal support for closing critical infrastructure security gaps [1][2][3][4][5].
Microsoft warned in May 2023 that Volt Typhoon was abusing SOHO devices, including internet-facing Fortinet Fortiguard environments to gain initial access and abuse other networking equipment [9]. The group is also gathering information on, and even penetrating, operational technology systems, the highly sensitive systems that run the physical processes at the heart of critical infrastructure.
Cyber officials in Australia and New Zealand are preparing for similar threat activity against their critical sectors [10]. With the potential for disruptive effects, it is crucial for all nations to collaborate and share threat intelligence to protect their critical infrastructure and ensure the safety and security of their citizens.
[1] The Hacker News [2] CyberScoop [3] CISA [4] Security Scorecard [5] CyberScoop [6] The Hill [7] CyberScoop [8] CISA [9] Microsoft Threat Intelligence Center [10] CyberScoop
- The recent disruption of SOHO routers infected with KV Botnet malware, traced back to the Chinese state-sponsored threat actor Volt Typhoon, highlights the importance of robust firewalls and cybersecurity measures in safeguarding privacy and preventing vulnerabilities within critical infrastructure networks.
- Volt Typhoon's use of old vulnerabilities, such as CVE-2019-1653 and CVE-2019-1652, to compromise Cisco RV320/325 devices underscores the necessity for technology companies to prioritize security in their software development and configuration processes to mitigate cyber threats.
- The covert activities of Volt Typhoon, aiming to gain lateral access to operational technology systems, emphasize the need for collaborative efforts among nations to strengthen cybersecurity defenses, including IT and OT defenses, credential monitoring, and the sharing of threat intelligence, to protect critical infrastructure and ensure privacy and security for all citizens.
