Geopolitical Insights

Academy SITREP – Urgent Cyber Threat of Volt Typhoon

March 25, 2024

What has Happened:

  • As a follow-up to our recent T-Report, last week, the Cybersecurity and Infrastructure Security Agency (CISA) warned of the “urgent risk” posed by Chinese state-sponsored threat actors against critical infrastructure and urged senior leadership to take defensive actions.
  • The fact sheet warns critical infrastructure organizations of the risk posed by Volt Typhoon and provides guidance on specific actions to prioritize the protection of their organizations.
  • CISA, the FBI, and other U.S. and international partners outlined best practices for defending against “living off the land” cyber activity, where threat actors use an organization’s own tools to attack its network.
  • In January, CISA Director Jen Easterly testified before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party and said, “Chinese cyber actors, including a group known as Volt Typhoon, are burrowing deep into our critical infrastructure to be ready to launch destructive cyberattacks in the event of a major crisis or conflict with the United States.”
  • Back in May 2023, we reported on this threat in our ATW and highlighted that the Chinese hacking group responsible (Volt Typhoon) targeted communications infrastructure in Guam and in certain other parts of the U.S. as well.
  • Guam is particularly sensitive because U.S. forces there would likely be involved in any U.S. response to a military move by China on Taiwan.

Why it Matters:

“This is a very serious threat and only getting worse. The threat actor is burrowing in and seeking to escalate privileges, while not getting caught. They are planning to wait us out to act at a time and place of their choosing. Please see below for some of the highlights from the 19 March 2024 CISA bulletin.

The U.S. authoring agencies assess that the PRC-sponsored advanced persistent threat group known as “Volt Typhoon” is seeking to pre-position themselves—using “living off the land” (LOTL) techniques — on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. The fact sheet warns critical infrastructure leaders of the urgent risk posed by Volt Typhoon and provides guidance on specific actions to prioritize the protection of their organization from this threat activity. This basically means that they will find ways into our critical infrastructure (power, water, banking, telecommunications, transportation, logistics, etc.) and establish their own backdoor access. The PRC has a very capable offensive cyber force, and this threat should be taken seriously by all who do business with China directly or through any suppliers in their supply chains. Their effects could be global if they decide to target U.S. allies as well, even though this could further complicate the conflict for them and may result in cyber-retaliation from other nation states.

How can it affect my company and business?

If they disrupt critical services like power to business telecommunications, data centers, logistics, and transportation hubs etc., businesses will grind to a halt, even those with contingency plans in place.  Businesses should be prepared for extended disruption – weeks and months, not just a few hours or days. There could be significant effects on the ability to move goods as well, and that includes others in your supply chains.

What can I do about it?

First and foremost – keep informed, ensure that you are tracking notices from reputable sources (CISA/Department of Homeland Security, FBI, NSA) and commercial intelligence feeds (if subscribed). Act on their recommendations (i.e. see CISA fact sheet referenced above). Second, keep your system defenses in their highest operating state – know what is normal on your networks and what is not and ensure all patches and monitoring tools are up to date. Understand your supply chains and interdependencies. Have backup plans ready to execute. Third, since most of the Volt Typhoon attacks target critical infrastructure, understand the impacts to “no fail” missions including second and third order effects when those are affected. Run through real-world and tabletop drills with the entire organization and have written procedures with clearly defined roles and responsibilities should those become necessary to use. You may not be able to stop disruption, but you want to minimize the impact and be resilient in keeping those “no fail” missions going.” Admiral Danelle Barrett