"Five Eyes urges top executives of critical infrastructure to treat potential threats from China with importance"
Volt Typhoon, a Chinese state-sponsored cyber threat actor, has been targeting critical infrastructure, including military installations and key telecommunications networks, with the intent of establishing long-term access for potential disruption if geopolitical conflict arises, particularly concerning Taiwan.
The nature of the threat posed by Volt Typhoon is stealthy and insidious. The group has been attempting to penetrate critical infrastructure systems in locations such as Guam, Hawaii, and Texas, aiming to maintain persistent, covert footholds to enable future disruption or sabotage during a conflict escalation. However, recent U.S. government reports indicate that Volt Typhoon was not fully successful in maintaining this persistent access, with affected systems cleansed and threat actors removed.
Volt Typhoon's activities distinguish it from other Chinese groups like Salt Typhoon, which focused more on espionage and data access rather than prepositioning for sabotage. Volt Typhoon represents a strategic cyber operation preparing for potential conflict with the United States by targeting critical infrastructure for disruption rather than primarily spying or harvesting information.
Protection for critical infrastructure organizations against Volt Typhoon and similar threats includes enhanced cyber defense measures, continuous network monitoring, information sharing and collaboration between federal agencies and private sector operators, adherence to updated cybersecurity frameworks and compliance mandates, and incident response readiness. These measures aim to limit Volt Typhoon’s ability to re-establish presence and disrupt critical infrastructure, reflecting an ongoing government effort to neutralize sophisticated state-sponsored cyber campaigns.
The agencies urge leaders to recognise cyber risk as a core business risk and to protect themselves against the living off the land techniques used by Volt Typhoon. Continuous training and regular tabletop exercises are strongly encouraged for organisations to better defend against Volt Typhoon and other threat actors.
To secure critical infrastructure, organisations are urged to establish strong vendor risk management processes and exercise due diligence in vendor selection by following secure-by-design principles. Detecting and mitigating living off the land techniques requires consistent logging for access and security, with logs stored in a central system.
The Five Eyes, including U.S. agencies and counterparts from Australia, Canada, New Zealand, and the U.K., advise critical infrastructure organisations to follow CISA's cybersecurity performance goals and guidance from their respective sector-risk management agencies. The White House and Environmental Protection Agency have called for governors to send health, environmental, and homeland security officials to a virtual meeting.
The warning from the Five Eyes comes after a February warning detailing Volt Typhoon's presence in various transportation, energy, communications, and water and wastewater systems. The full extent of the Volt Typhoon campaign remains unknown, according to NSA Cyber Director Rob Joyce, who is retiring at the end of this month.
In summary, Volt Typhoon is a significant and evolving cyber threat actor focusing on U.S. critical infrastructure with the goal of covert prepositioning for strategic disruption. Efforts by U.S. agencies have so far prevented long-term persistence. Critical infrastructure operators protect themselves primarily through proactive defense, continuous monitoring, federal collaboration, and legislative support to improve resilience against such state-sponsored cyber threats.
- The stealthy and insidious activities of Volt Typhoon pose a significant cyber risk, as they aim to establish long-term access for potential disruption of critical infrastructure, such as military installations and key telecommunications networks.
- Protection against Volt Typhoon and similar threats involves implementing enhanced cyber defense measures, continuous network monitoring, information sharing with federal agencies and private sector operators, adherence to updated cybersecurity frameworks, and maintaining incident response readiness.
- To secure critical infrastructure, organizations should establish strong vendor risk management processes, exercise due diligence in vendor selection, follow secure-by-design principles, consistently log access and security events, and store logs in a central system.
- As Volt Typhoon continues to be a significant and evolving cyber threat actor, focusing on U.S. critical infrastructure with the goal of covert prepositioning for strategic disruption, it is crucial for critical infrastructure operators to recognize cybersecurity as a core business risk and prioritize defense against living off the land techniques.
