Before previous conflicts, a potential enemy would pre-position ships, planes and tanks in order to swiftly and decisively cripple an opponent. In the 21st century, computer-based threats are being used to destroy a nation’s ability to survive.
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency and Federal Bureau of Investigation along with key U.S. and international government agencies have issued an alert about China’s state-sponsored cyber actor, known as Volt Typhoon, attempt to compromise critical infrastructure with the aim of crippling America in the event of a conflict between Washington and Beijing.
CISA and other federal departments have confirmed that this group of China state-sponsored cyber actors has compromised entities across multiple critical infrastructure sectors in cyberspace, including communications, energy, transportation, and water and wastewater, in the United States and its territories. The information strongly suggests that China is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.
In recent years, Washington has noted a strategic shift in China’s cyber threat activity from a focus on espionage, to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure. By using “living off the land” techniques, Beijing’s cyber actors blend in with normal system and network activities, avoid identification by network defenses, and limit the amount of activity that is captured in common logging configurations.
CISA notes that “Detecting and mitigating ‘living off the land’ malicious cyber activity requires a multi-faceted and comprehensive approach to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting.”
China’s cyber threat is not theoretical, indeed, it is a real-world and existing threat. Using information from government and private industry CISA teams has found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. However, what they have found to date is “likely the tip of the iceberg,” said CISA Director Jen Easterly. “[the advisory is] “the result of effective, persistent operational collaboration with …industry, federal, and international partners … We are at a critical juncture for our national security.CISA strongly encourages all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”
After successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the compromised environment) suggesting their objective is to maintain persistence rather than immediate exploitation. This assessment is supported by observed patterns where Volt Typhoon methodically re-targets the same organizations over extended periods, often spanning several years, to continuously validate and potentially enhance their unauthorized accesses. Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts. For example, in one compromise, Volt Typhoon likely extracted NTDS.dit from three domain controllers in a four- year period. In another compromise, Volt Typhoon actors extracted NTDS.dit two times from a victim in a nine-month period.
According to CISA, Industry reporting—identifying that Volt Typhoon actors are silent on the network following credential dumping and perform discovery to learn about the environment, but do not exfiltrate data—is consistent with the U.S. authoring agencies’ observations. This indicates their aim is to achieve and maintain persistence on the network. In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials at regular intervals.
In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts. Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment.
The warning is based primarily on technical insights gleaned from CISA and industry response activities at victim organizations within the United States, primarily in communications, energy, transportation, and water and wastewater sectors.
Illustration: Pixabay