The US and its allies have sounded the alarm over Chinese state hackers, claiming they’re ready to launch destructive attacks on multiple critical infrastructure (CNI) sectors in the event of a military conflict.
The advisory comes from multiple agencies including the FBI, NSA and CISA, and international partners like the UK’s National Cyber Security Centre (NCSC). It said that Chinese threat group Volt Typhoon has positioned itself in sectors including communications, energy, transportation, and water and wastewater.
CISA director, Jen Easterly, urged all critical infrastructure organizations to review and implement the actions listed in the advisory and report any Volt Typhoon activity.
The Threat from China is Real
“The [People’s Republic of China (PRC)] cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” she argued.
“Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders. We are at a critical juncture for our national security.”
Last week, the US government announced that it had disabled hundreds of small office/home office (SOHO) routers compromised by Volt Typhoon in a bid to dismantle its attack infrastructure.
The group is linked to China’s Ministry of State Security (MSS) and has been active since at least 2021. Microsoft warned in October last year that it and other Chinese groups like Circle Typhoon were primed to launch destructive attacks after successfully targeting CNI.
Paul Laudanski, director of security research at Onapsis, said the joint advisory provides a solid framework for security best practices like monitoring, patching and network segmentation.
“However, it’s crucial to broaden our scope beyond the highlighted areas, as attackers often target overlooked vulnerabilities,” he added.
“Business-critical applications should also be regularly patched and monitored, as they are prime targets for nation-state actors. Additionally, while publicized threats are important, we must remain vigilant against potential decoy attacks that could mask more insidious breaches.”
Five Eyes Release New Guidance
The joint advisory warns of China’s advanced use of “living-off-the-land” techniques, designed to enable threat actors to blend in with normal system activities, avoid identification by monitoring tools and limit activity captured by “common logging configurations.”
As such, the Five Eyes allies released an additional guidance document designed to enable CNI and other organizations to better identify and mitigate such techniques.
“It is vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems. Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services,” warned NCSC director of operations, Paul Chichester.
“Organizations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”
These include:
- Implementing logging and aggregate logs in an “out-of-band” centralized location
- Establishing a baseline of “normal” network, user and application activity, and using automated tools to continually review logs and detect suspicious activity
- Reducing alert noise
- Implementing application allow-listing
- Enhancing network segmentation and monitoring
- Deploying authentication controls
- Using user and entity behavior analytics (UEBA)