Intelligence advisory: China-linked Volt Typhoon hackers infiltrate US critical infrastructure
There are indications that the threat actor maintained access in some victim IT environments for at least five years.
Volt Typhon, a threat actor linked to China, is strategically positioning itself within US critical infrastructure, in anticipation of launching disruptive or destructive cyberattacks during major crises or conflicts, an intelligence advisory cautioned.
The threat actor’s choice of targets and pattern of behaviour strongly suggests that it is not gathering intelligence or engaging in traditional cyberespionage, but rather that it aims to establish a foothold in IT networks for lateral movement to Operational Technology (OT) assets, intending to disrupt critical infrastructure functions.
Volt Typhoon’s cyber activities are characterised by the use of living off the land (LOTL) techniques, relying on valid accounts, and maintaining strong operational security. These tactics enable the actors to persist undetected for extended periods.
The group has successfully compromised the IT environments of numerous critical infrastructure organisations across various sectors, including communications, energy, transportation systems, and water and wastewater systems, the advisory noted. There are indications that the threat actor maintained access in some victim IT environments for at least five years.
Why does it matter?
This isn’t the first time concerns have been raised about Volt Typhoon posing a threat to the critical infrastructure of the US. Just last week, FBI Director Christopher Wray alerted the House Select Committee on the Chinese Communist Party about the escalating threat of Chinese cyberattacks on US infrastructure. Subsequently, the news that the US government had dismantled Volt Typhoon’s botnet broke out.
This advisory also brings insight into the worries of USA’s allies. The Canadian Centre for Cyber Security (CCCS) evaluates that the immediate risk to Canada’s critical infrastructure from state-sponsored actors linked to China is probably less than that to US infrastructure. However, if US infrastructure experiences disruptions, Canada is likely to be impacted due to cross-border integration.
Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) and New Zealand National Cyber Security Centre (NCSC-NZ) analyse that the critical infrastructure in Australia and New Zealand, respectively, might be susceptible to comparable activities from state-sponsored actors associated with China.