A major Chinese state-sponsored threat actor has been hiding on the networks of crucial U.S. infrastructure companies for years, a recently released advisory shows.
The advisorypublished by the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, the FBI and Five Eyes agencies, claims that the group, known as Volt Typhoon, compromised and then established itself in networks of multiple critical infrastructure organizations in the country for at least a minimum of five years.
They were able to do that by living off the land (LOTL) and using stolen accounts, the organizations said.
Positioning for action
“In fact, US authoring agencies have recently observed evidence that Volt Typhoon actors have maintained access and a foothold within some victims’ IT environments for at least five years,” the statement said.
Another hallmark of Volt Typhoon’s approach to cyber espionage is ‘extensive pre-exploitation reconnaissance’, which allows the threat actor to learn a lot about the target organizations and their environment. With this knowledge, the group adapts their tactics, techniques and procedures (TTP) and allocates the appropriate resources to the campaign.
Of all the compromised organizations, the majority are in the communications, energy, transportation, and water/wastewater sectors.
The purpose of this campaign was not just to monitor activity and steal sensitive information; the group also prepared for disruptive measures, if necessary. According to the advisory, should the conflict between the US and China escalate, the group would be well positioned to disrupt their adversary’s critical infrastructure.
“This is something we’ve been working on for a long time,” said Rob Joyce, NSA Cybersecurity Director and Deputy National Manager for National Security Systems (NSS). BleepingComputer.
“We’ve gotten better at all aspects of this, from understanding the scope of Volt Typhoon, to identifying the compromises likely to impact critical infrastructure systems, to hardening targets against these invaders, to working with partner agencies to combat cyber actors in the PRC.”