In a stark warning this week, the Cybersecurity and Infrastructure Security Agency, FBI, and National Security Agency said that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations in such sectors as communications, energy, transportation, and water and wastewater systems in the United States and some of its territories, including Guam.
The advanced persistent threat group has hidden in some systems for as long as five years, essentially using the IT systems as the into organizations' operational technologies.
The hackers behind Volt Typhoon do a lot of reconnaissance before launching their attacks, learning as much as possible about the organizations they're targeting and their IT environment and then adapting their tactics accordingly, according to CISA. From there, they work to keep a presence in the systems and continue to collect information about target, even after the initial compromise.
The agencies are urging IT and OT administrators at critical infrastructure organizations to hunt through their systems for indications of Volt Typhoon's presence and to root it out if found.
They laid out mitigation guidelines that could be followed, both in the advisory and in previous releases about LOTL techniques.
The warning about Volt Typhoon - which also is known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus - comes fewer than two weeks after the U.S. Justice Department said it had taken down a botnet comprising hundreds of Cisco and Netgear routers for home and small offices that was being used by the threat group.
The DOJ said Volt Typhoon had been using the KV Botnet to conceal it's the China origins of its malicious activities against the United States.
CISA had issued an advisory in May 2023 about Volt Typhoon targeting such networking gear as part of its LOTL efforts.
At the time that the DOJ announced the takedown of the KV Botnet, Toby Lewis, global head of threat analysis at cybersecurity vendor Darktrace, said the operation likely disrupted Volt Typhoon's infrastructure, but noted that the hackers were still free.
That said, researchers with Lumen Technologies' Black Lotus Labs group wrote this week that the KV Botnet is still out of action, though they warned that there still is a large number of out-of-date and end-of-life edge devices on the internet that no longer get patches but are still in service.
CISA's advisory also comes as U.S. government officials continue to warn about the ongoing cyberthreat from the Chinese government.
Wray, whose given lawmaker similar warnings at other hearings, said that not enough public attention has been paid to the effort by Chinese hackers to target U.S. critical infrastructure and the risks those efforts post to American citizens.
The office added that China likely has the capabilities to launch cyberattacks against critical infrastructure like oil and gas pipelines and rail systems in the United States.
Volt Typhoon isn't the only China-sponsored group looking to work their way into networking gear to move into organizations' environments.
Government agencies in both the United States and Japan last year said the BlackTech group was manipulating gear from Cisco and possibly other vendors to maintain a presence in the networks of U.S. and East Asian multinational companies.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 08 Feb 2024 18:43:04 +0000