A major Chinese statesponsored threat actor was lurking on the networks of critical US infrastructure firms for years, a newly released advisory has claimed.
The advisory, published by the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, the FBI, and Five Eyes agencies, claims the group, known as Volt Typhoon, compromised, and then dwelled on networks of multiple critical infrastructure organizations in the country for at least five years.
They were able to do that by living off the land (LOTL) and using stolen accounts, the organizations said.
Positioning for action
“In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” the statement said.
Another hallmark of Volt Typhoon’s approach to cyberespionage is “extensive preexploitation reconnaissance”, which helps the threat actor learn much about the target organizations and their environment. With this knowledge, the group tweaks their tactics, techniques and procedures (TTP) and allocates proper resources to the campaign.
Of all the compromised organizations, most are in communications, energy, transportation, and water/wastewater industries.
The goal of this campaign wasn’t just to monitor the activities and steal sensitive information the group was also positioning for disruptive action, if need be. According to the advisory, should the conflict between the US and China escalate, the group would be properly positioned to disrupt their adversary’s critical infrastructure.
“We have gotten better at all aspects of this, from understanding Volt Typhoon’s scope, to identifying the compromises likely to impact critical infrastructure systems, to hardening targets against these intrusions, to working together with partner agencies to combat PRC cyber actors.”