The US Cybersecurity and Infrastructure Security Agency has issued a report detailing how the China-backed Volt Typhoon advanced persistent threat is consistently targeting highly sensitive critical infrastructure, with new information on the cyberattackers' pivot to operational technology networks once they've burrowed inside.
Given that the OT network is responsible for the physical functions of industrial control systems and supervisory control and data acquisition equipment, the findings clearly corroborate the ongoing suspicion that Chinese hackers are looking to be able to disrupt critical physical operations in energy, water utilities, communications, and transportation, presumably to cause panic and discord in the event of a kinetic conflagration between the US and China.
It's an important set of revelations, according to John Hultquist, chief analyst at Mandiant Intelligence/Google Cloud.
CISA also revealed today that Volt Typhoon has secretly hidden in US infrastructure for half a decade - even though they were first publicly outed by Microsoft only last year.
While Volt Typhoon's strategy of staying hidden by using legitimate utilities and blending in with normal traffic isn't a new phenomenon in cybercrime, it does make it difficult for potential targets to actively scan for malicious activity, according to CISA, which issued extensive LOTL guidance today for doing just that.
An infrastructure update, while it could in some cases require a costly and labor-intensive forklift replacement, might not go awry either.
Worryingly, CISA also noted that the danger extends beyond the US. Last month, SecurityScorecard's STRIKE team identified new infrastructure linked to Volt Typhoon that indicated the APT was also targeting Australian and UK government assets.
The CISA report broadens that risk to also include Canada and New Zealand - all of these US partners' infrastructure is also susceptible to nation-state actors, it warned.
CISA's advisory comes on the heels of a government action to disrupt the group's small office/home office router botnet, which it used to throw off those tracking its activity.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 07 Feb 2024 23:15:33 +0000