Dive Brief:
- Cyber officials representing the Five Eyes warned critical infrastructure organizations of the “urgent risk posed by Volt Typhoon” in guidance released Tuesday. U.S. officials and international allies strongly urged leaders to take actions to defend their systems against the China state-sponsored threat actor.
- “This is a critical business risk for every organization and allied countries,” the officials said. The agencies urged leaders to “recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security.”
- The warning coincided with an urgent request for U.S. governors to shore up water security. The White House and Environmental Protection Agency called for governors to send health, environmental and homeland security officials to a virtual meeting Thursday.
Dive Insight:
The guidance released Tuesday follows a February warning from the Five Eyes that detailed how Volt Typhoon already embedded itself into numerous transportation, energy, communications, and water and wastewater systems.
Critical infrastructure organizations need a comprehensive and multifaceted approach to protect themselves against living off the land techniques Volt Typhoon uses, according to the FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and international counterparts.
“Volt Typhoon does not rely on malware to maintain access to networks and conduct their activity. Rather, they use built-in functions of a system,” a technique known as living off the land that enables threat actors to evade detection, the agencies said.
The threat group and other China state-linked actors are gaining persistent access to critical infrastructure. These footholds are part of Volt Typhoon’s broader effort to preposition themselves to launch future disruptive or destructive cyberattacks on critical services in the event of increased geopolitical tension or military conflict with the U.S. and its allies, cyber officials warned.
NSA Cyber Director Rob Joyce, who is retiring at the end of this month, said the full extent of the campaign remains unknown. Authorities are “still finding victims and making sure to clear out intrusions,” he said during a roundtable Friday, The Record reported.
The Five Eyes, which includes efforts spanning multiple U.S. agencies and counterparts in Australia, Canada, New Zealand and the U.K., urged critical infrastructure organizations to follow CISA’s cybersecurity performance goals and guidance from their respective sector-risk management agencies.
Officials advised organizations to establish strong vendor risk management processes and exercise due diligence in selecting vendors by following secure-by-design principles. They strongly encouraged continuous training and regular tabletop exercises, too.
Detecting and mitigating living off the land techniques requires consistent logging for access and security, and logs should be stored in a central system, officials said. This key best practice can help organizations reveal specific commands used by Volt Typhoon actors, including those shared in last month’s cybersecurity advisory about the ongoing activity.
