The Cybersecurity and Infrastructure Security Agency (CISA) published a joint cybersecurity advisory alongside the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and other key U.S. and international government agencies. The advisory is due to malicious activity by a People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon, designed to compromise critical infrastructure and associated actions that should be urgently undertaken by all organizations.

Ken Dunham, Cyber Threat Director with the Qualys' Threat Research Unit (TRU), says that “China has quietly been amassing for decades a cyber hacking army that is massive compared to every other force in the world, with a number of threats named to the country, including Volt Typhoon. Volt Typhoon, aka Bronze Silhouette and Vanguard Panda, is a Chinese group active for several years, targeting critical infrastructure in Guam and the U.S. verticals targeted include communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education. Techniques, tactics and procedures (TTPs) utilized by this group are very advanced, with strong evasive tactics to avoid detection and run in memory on a compromised device and very strong social engineering performed through targeted persistent attacks. 

The group is known to run file-less payloads, where malware is executed into memory without leaving a trace of the malware on a disk, to avoid detection and forensic analysis. They also heavily use 'living off the land' tactics to leverage tools within a compromised environment for optimized land and to expand operations. Volt Typhoon has traditionally targeted network and router infrastructure, including ASUS, Cisco, D-Link and Zyxel. With such a large amount of effort exhibited to target critical infrastructure, priorities must be made to increase visibility and security for all such targets against such a sophisticated and focused adversary, especially water, sanitation, utility and communications within the U.S.

Therefore, government agencies must urgently focus on implementing a layered security approach that includes rigorous vulnerability management, ongoing network monitoring, and advanced threat detection capabilities. In addition to adopting these advanced cyber risk management practices, agencies must foster a culture of cybersecurity awareness and resilience. This step means regular training for all personnel, robust incident response planning and promoting international collaboration to respond effectively to these threats. As we witness cyber aggression escalating into a new theater of war, our national security depends on staying several steps ahead through innovation, vigilance and an unyielding commitment to cyber resilience.”

CISA and its U.S. Government partners have confirmed that this group of PRC state-sponsored cyber actors has compromised entities across multiple critical infrastructure sectors in cyberspace, including communications, energy, transportation, and water and wastewater, in the United States and its territories. The data and information CISA and its U.S. Government partners have gathered strongly suggest the PRC is positioning itself to launch destructive cyberattacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.

In addition to the joint Cybersecurity Advisory, CISA and our partners also released complementary Joint Guidance to help all organizations effectively hunt for and detect the sophisticated types of techniques used by actors such as Volt Typhoon, known as “living off the land.” In recent years, the U.S. has seen a strategic shift in PRC cyber threat activity from a focus on espionage to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure. By using “living off the land” techniques, PRC cyber actors blend in with normal system and network activities, avoid identification by network defenses and limit the amount of activity that is captured in common logging configurations.

Detecting and mitigating “living off the land” malicious cyber activity requires a multi-faceted and comprehensive approach to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection and proactive hunting. This advisory and complementary guidance provide organizations with details on how Volt Typhoon cyber threat actors use “living off the land” techniques to abuse legitimate, native tools and processes on systems and identifies specific details on the actors’ tactics, techniques and procedures (TTPs) using certain adversarial behavior patterns.

The joint advisory is based primarily on technical insights gleaned from CISA and industry response activities at victim organizations within the United States, primarily in communications, energy, transportation and water and wastewater sectors.