The Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), has issued a stark warning: cyber actors sponsored by the People's Republic of China (PRC) are strategically infiltrating American IT networks. This move, aimed at the heart of U.S. critical infrastructure, positions these actors to launch potentially devastating cyberattacks in times of heightened tensions or conflict with the United States.
Key Agencies Join Forces in Advisory
In response, CISA, NSA, and FBI, in collaboration with domestic and international partners—including the U.S. Department of Energy, the Environmental Protection Agency, and cybersecurity bodies from Australia, Canada, the UK, and New Zealand—have come forward with this advisory. Their goal? To alert organizations operating within critical sectors about these incursions, notably by a group known as Volt Typhoon. This entity, also recognized by names like Vanguard Panda and Insidious Taurus, has shown a disturbing focus on sectors vital to national security: communications, energy, transportation, and water management.
The Threat at a Glance
Volt Typhoon's activities diverge significantly from typical cyber espionage. Instead, these actors are laying the groundwork for widespread disruption. By establishing a foothold within IT networks, they aim to pivot to operational technology (OT) systems, threatening the continuity of essential services. While the immediate risk may vary across nations, the interconnected nature of critical infrastructure means a targeted attack on the U.S. could have broader implications, especially for close allies like Canada.
Campaign Overview: A Coordinated Cyber Intrusion
In May 2023, a joint effort between authoritative agencies and industry partners brought to light the activities of Volt Typhoon, a campaign orchestrated by state-sponsored actors from the People's Republic of China. This campaign marks a significant escalation in cyber threats, with successful infiltrations into the IT networks of critical U.S. infrastructure across the continental U.S., its territories, and Guam. Unlike traditional cyber espionage, the aim here is clear: to pre-position within IT networks, enabling a pivot to operational technology (OT) systems for potential disruption.
Strategic Targeting and Reconnaissance
Volt Typhoon's operations have predominantly impacted sectors crucial to national resilience: Communications, Energy, Transportation, and Water and Wastewater Systems. The actors have shown a preference for entities with limited cybersecurity defenses but significant operational value. Their approach is methodical, beginning with extensive reconnaissance to map out target network architectures, security measures, and operational protocols. This intelligence is then exploited to enhance their stealth and efficiency, including tactics like avoiding abnormal account activity to fly under the radar of security monitoring.
Infiltration Tactics: From Initial Access to Domain Dominance
The campaign typically initiates with the exploitation of vulnerabilities in public-facing network devices, followed by leveraging VPNs for deeper network penetration. A significant goal for Volt Typhoon actors is the acquisition of administrative credentials, often through privilege escalation or extracting insecurely stored credentials. With these credentials, the actors move laterally across the network, employing techniques like PowerShell to discreetly mine for information and using tools like vssadmin to access critical Active Directory data via the NTDS.dit file.
Sophisticated Exploitation and Operational Security
Volt Typhoon's exploitation strategies demonstrate a high level of sophistication, from offline password cracking of Active Directory hashes to leveraging valid credentials for further network penetration and intelligence gathering. Their operational security is further evidenced by their strategic use of living off the land (LOTL) techniques, blending seamlessly into the environment to avoid detection.
Implications for OT Assets and Critical Infrastructure
The ultimate objective appears to be not just network surveillance but the capability to disrupt critical OT functions. By gaining access to domain-joint OT assets and testing default OT vendor credentials, Volt Typhoon actors position themselves to potentially manipulate or disrupt essential services. This includes critical infrastructure facilities, where they've shown the ability to interfere with systems as varied as HVAC controls and surveillance cameras, posing a direct threat to national security.
Understanding Volt Typhoon's TTPs
Volt Typhoon actors meticulously map out their targets, delving into organizational structures, network setups, and employee details. Leveraging tools like FOFA, Shodan, and Censys, they unearth exposed infrastructure, focusing keenly on IT and network administrators to breach defenses effectively. This stage is crucial for understanding the depth of their pre-attack groundwork, showcasing their methodical approach to cyber espionage.
Evolving Resource Development Strategies
Historically, these actors employed multi-hop proxies to disguise their command and control channels, utilizing virtual private servers or routers at small offices/home offices. However, a shift towards exploiting Cisco and NETGEAR routers, compromised with KV Botnet malware, highlights their adaptability and the persistent threat they pose to digital infrastructures.
Initial Access: The Gateway to Compromise
Volt Typhoon exploits vulnerabilities in common networking appliances from brands like Fortinet and Cisco, using both known exploits and zero-day vulnerabilities. A notable incident involved exploiting a FortiGate firewall vulnerability, illustrating their expertise in finding and leveraging weak spots for initial entry.
Execution Tactics: Stealth over Malware
Post-compromise, Volt Typhoon prefers direct, hands-on-keyboard activities, avoiding malware to reduce detection risks. This approach, involving the use of built-in system tools, underscores their stealthy methodologies to maintain access and avoid raising alarms within targeted networks.
Persistence through Valid Credentials
Maintaining access is key for Volt Typhoon, with a strong preference for using legitimate credentials. This tactic ensures they can continue their operations undetected, showcasing the importance of robust credential management and monitoring within cybersecurity defenses.
Defense Evasion: Blending in with the Crowd
By using legitimate, albeit outdated, network tools and blending malicious activities within normal network traffic, Volt Typhoon actors effectively stay below the radar. This technique challenges organizations to discern between legitimate operations and covert cyber threats, emphasizing the need for sophisticated detection tools and strategies.
Credential Access: The Foundation of Further Intrusions
Volt Typhoon's success often hinges on acquiring credentials from compromised systems, using methods like exploiting vulnerabilities or extracting critical databases. These credentials pave the way for deeper network penetration and control, highlighting the critical nature of securing authentication mechanisms against such threats.
Discovery and Lateral Movement: Preparing for Impact
Through the use of both commercial and built-in tools, Volt Typhoon actors thoroughly explore compromised networks, identifying key assets and planning their next moves. Their strategic approach to lateral movement, especially within critical infrastructure sectors, demonstrates a calculated effort to position themselves advantageously within targeted environments.
Command and Control: Maintaining a Stealthy Grip
Volt Typhoon's command and control tactics involve clever use of compromised infrastructure, such as routers and servers, to communicate with and control compromised networks discreetly. This method ensures their activities remain hidden, complicating efforts to detect and mitigate their presence.
Implications and Protections
Understanding Volt Typhoon's sophisticated TTPs underscores the importance of a multi-layered cybersecurity strategy. Organizations must prioritize up-to-date defenses, robust monitoring, and a proactive stance on network security to defend against such adept adversaries.
Embrace Advanced Detection Techniques Against Stealthy Threats
Where adversaries like Volt Typhoon skillfully blend in using "Living off the Land" (LOTL) techniques, organizations face significant challenges in distinguishing between legitimate and malicious activities. Traditional indicators of compromise (IOCs) often fall short, necessitating a more nuanced approach to cybersecurity.
- Best Practices for LOTL Detection: Adopting the recommendations from the comprehensive guide on Identifying and Mitigating Living off the Land Techniques is crucial. Many organizations' security frameworks lack the refined detection capabilities needed to spot such sophisticated tactics. By establishing robust baselines and implementing best practices for network management and security, teams can enhance their ability to detect anomalous behaviors indicative of LOTL strategies. This involves leveraging behavior analytics, anomaly detection, and proactive threat hunting as part of a well-rounded cyber defense strategy.
- Proactive Log Review for In-depth Insights: Regular examination of application, security, and system event logs is a vital practice in uncovering hidden threats. Special attention should be given to Windows Extensible Storage Engine Technology (ESENT) Application Logs, which can offer clues to stealthy persistence mechanisms employed by actors like Volt Typhoon. Given their potential for prolonged, undetected network presence, it's essential to scrutinize specific ESENT Application Log event IDs (216, 325, 326, and 327), which could signal unauthorized access attempts or data exfiltration activities.
For a deeper dive into the details of the advisory and to stay informed on the latest cybersecurity measures against Volt Typhoon's activities, please visit the official CISA website. Here, you'll find comprehensive insights and recommendations to bolster your cybersecurity posture and protect your organization from sophisticated cyber threats.