CISA declares Volt Typhoon an urgent threat and updates its DDoS response guide
Guidelines released this week by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and other U.S. and international partners outline best practices for defending against “living off the land” cyber activities – where threat actors use an organization’s own tools to attack its network – while addressing the specific needs and challenges of defending against distributed denial-of-service attacks with new solutions and visual aids.
WHY IT MATTERS
With contributions from Cisco Talos, NTT Corporation and Sophos, the agencies delivered a joint fact sheet warning critical infrastructure entities to take the threat of attacks by Chinese state-sponsored actors “seriously.”
The new guidelines will follow on February 7 cybersecurity advice which warned that, due to increased geopolitical tensions, Volt Typhoon has deployed LOTL incursions into critical infrastructure networks to disrupt or destroy critical services.
It highlights the actions leaders can take to make informed and proactive resource decisions based on the threat:
“Key best practices for your cybersecurity teams include ensuring that logging, including for access and security, is enabled for applications and systems and that logs are stored in a central system,” CISA said, encouraging organization leaders to Ask IT teams to locate and review logs for known commands used by Volt Typhoon threat actors.
The Volt Typhoon commands and PowerShell scripts observed by the US authoring agencies during incident response activities can be found in Appendix A of last month’s publication. cybersecurity advice.
“CISA and partners are releasing this fact sheet to provide guidance to leaders of critical infrastructure entities to prioritize the protection of critical infrastructure and functions,” the agency said in the new guidance.
“The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental for national security.”
Additionally, the Multi-State Information Sharing and Analysis Center updated the joint Guide to DDoS defenseUnderstanding and Responding to Distributed Denial-Of-Service Attacks, with new technical information on attack vectors, nine visual aids, and added measures to defend against DDoS techniques.
THE BIG TREND
In January, CISA Director Jen Easterly testified before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party about the PRC’s intention to disrupt critical infrastructure in the United States, including telecommunications.
“Chinese cyber actors, including a group known as Volt Typhoon, are digging deep into our critical infrastructure to be ready to launch destructive cyber attacks in the event of a major crisis or conflict with the United States,” she said in her report. pick up line.
In October, CISA warned that CVE-2023-44487 affecting HTTP/2 – a DDoS exploit also known as Rapid Reset – could compromise critical infrastructure, while the Health Information Sharing and Analysis Center warned its members about the possibility of that LOTL threat.
While malware may be a more prominent threat to healthcare organizations, a wave of coordinated KillNet DDoS attacks on hospital websites around the turn of 2023 caught the attention of Fitch Ratings, which warned that cyberattacks that compromise service delivery could ultimately impact the financial profile of a hospital.
ON THE RECORD
“The US authoring agencies believe that the PRC-sponsored advanced persistent threat group known as Volt Typhoon is attempting to position itself – using (LOTL) techniques – on IT networks for disruptive or destructive cyber activities against US critical infrastructure in the event of a disaster. a major crisis or conflict with the United States,” the agencies said in a statement on Tuesday.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.