Five-Eye alliance urges heads of critical infrastructure to treat China-associated threats as significant concerns
News Article: Enhancing Cybersecurity Against the China-Backed Threat Actor Volt Typhoon
In light of the increasing threat posed by the China state-sponsored actor Volt Typhoon, critical infrastructure organizations worldwide are being advised to strengthen their defenses against stealthy, long-term espionage tactics. Particular focus is being placed on mitigating "living off the land" (LOTL) techniques and securing edge network devices that Volt Typhoon exploits to maintain persistent access.
Understanding the Threat
Volt Typhoon has targeted a broad range of U.S. critical infrastructure sectors, including government, maritime, utilities, communications, manufacturing, and transportation. The group's primary focus is espionage, with potential disruption during geopolitical conflict scenarios such as tensions over Taiwan. Although federal agencies like the NSA and FBI state that Volt Typhoon has so far failed to maintain long-term invisible persistence, they remain embedded in some networks, notably on Guam, warranting ongoing vigilance.
Mitigating LOTL Techniques
Volt Typhoon uses LOTL tactics that leverage native operating system tools and legitimate processes to blend malicious activity into normal network traffic, evading detection. LOTL activities include harvesting Windows credentials via LSASS memory, deploying web shells, and exploiting SOHO (small office/home office) network devices like routers, firewalls, and VPN appliances from brands such as ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel to exfiltrate data and maintain stealthy presence.
Protective Recommendations
To counter these tactics, organizations are advised to harden and monitor edge devices, enhance credential protection, detect unusual activity, increase visibility and monitoring, and be incident-ready. Regular firmware updates and vulnerability scans of exposed SOHO and enterprise network devices, especially routers, firewalls, and VPN appliances, are essential. Network segmentation and zero-trust principles should be applied to restrict lateral movement and limit device exposure.
Credential theft can be prevented by employing technologies such as Credential Guard and restricting access to LSASS memory. Behavioral analytics should be used to detect anomalous activities associated with LOTL techniques, such as unexpected PowerShell executions, unusual command-line usage, and web shell traffic patterns. Increased telemetry from endpoints and network devices using endpoint detection and response (EDR) tools combined with network traffic analysis can help catch disguised malicious behavior.
Organizations should develop and regularly test cyber incident response plans tailored for attacks targeting critical infrastructure, including red team exercises simulating LOTL-based intrusions and ransomware kill-chain disruptions. Backups should be kept offline or on fully segregated networks to prevent tampering or encryption by attackers who have established presence through LOTL tactics.
Coordination with Federal Agencies
Organizations are encouraged to collaborate with agencies such as CISA for threat intelligence sharing and to adopt any emerging mitigations or alerts regarding Volt Typhoon activity or vulnerabilities in network edge devices.
The Five Eyes, a collaboration between multiple U.S. agencies and counterparts in Australia, Canada, New Zealand, and the U.K., advises critical infrastructure organizations to follow CISA's cybersecurity performance goals and guidance from their respective sector-risk management agencies. Establishing strong vendor risk management processes and exercising due diligence in selecting vendors by following secure-by-design principles is also recommended.
Continuous training and regular tabletop exercises are strongly advised by officials. The White House and Environmental Protection Agency have called for governors to send health, environmental, and homeland security officials to a virtual meeting on Thursday.
A Comprehensive Approach
Critical infrastructure organizations need a comprehensive and multifaceted approach to protect themselves against living off the land techniques used by Volt Typhoon. Detecting and mitigating these techniques requires consistent logging for access and security, with logs stored in a central system. Authorities are urging leaders to recognize cyber risk as a core business risk, necessary for good governance and fundamental to national security.
Volt Typhoon does not rely on malware to maintain access to networks and conduct their activity. Instead, they use built-in functions of a system, a technique known as living off the land. This technique enables threat actors like Volt Typhoon to evade detection. The Five Eyes has issued a warning about the urgent risk posed by Volt Typhoon to critical infrastructure organizations, and the warning urges leaders to take actions to defend their systems against the China state-sponsored threat actor.
- In the battle against Volt Typhoon, it is essential for organizations to focus on risk management, understanding the cyber risks associated with this China state-sponsored actor, and employing cybersecurity measures to mitigate them, particularly malware lurking within native operating system tools and legitimate processes.
- To counter the LOTL techniques used by Volt Typhoon, such as exploiting SOHO network devices and deploying web shells, organizations should harden edge devices, enhance credential protection, utilize behavioral analytics, and adopt a zero-trust approach.
- In a comprehensive approach to protect critical infrastructure, organizations should collaborate with federal agencies for threat intelligence sharing, continuously train personnel, and develop incident response plans that cater to LOTL-based intrusions and ransomware kill-chain disruptions.
