The FBI and Cybersecurity and Infrastructure Security Agency confirmed the state-sponsored threat actor Volt Typhoon compromised the IT environments of multiple critical infrastructure providers in the U.S. The group and other China state-linked actors are operating a broad campaign to sow panic and disruption in preparation for a possible military attack in the Asia-Pacific region.
The agencies issued a detailed warning with key international partners, warning the threat group has already embedded itself inside the systems of numerous transportation, energy, communications and water and wastewater providers, using so-called living off the land techniques that are designed to hide malicious activity.
The threat actors plan to unleash destructive cyberattacks that could cause massive disruption in these key industries, and distract the U.S. from responding to military action, including a possible China-led invasion of Taiwan.
“Our evidence strongly suggests that the PRC actors are prepositioning to launch future disruptive or destructive cyberattacks that could cause impact to national security, economic security or public health and safety,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said Wednesday during a media briefing.
The U.S. agencies found evidence of Volt Typhoon and other actors using living off the land techniques, including masking their activities by embedding themselves in commonly used small office/home office routers and other networking equipment for the last five years.
The U.S. disclosed last week a court-ordered operation to disrupt a network of hundreds of privately-owned SOHO routers that were infected with KV Botnet malware, which was used to conduct espionage operations on other organizations without their knowledge. The botnet targeted end-of-life Cisco and Netgear routers that were no longer actively serviced by manufacturers.
The threat activity is aimed at critical infrastructure organizations in the U.S. and territories including Guam, with potential spillover effects into Canada. Cyber officials in Australia and New Zealand are preparing for similar threat activity against their critical sectors.
The attacks represent a significant shift in tactics for China-affiliated groups, which have traditionally focused on espionage and intellectual property theft from U.S. companies.
Other China-affiliated actors are engaged in similar threat activity against critical infrastructure, according to Cynthia Kaiser, deputy assistant director for the cybersecurity division at the FBI.
The warning and guidance followed an extraordinary hearing last week before the House Select Committee on the Chinese Communist Party, where FBI Director Chris Wray, CISA Director Jen Easterly, National Cyber Director Harry Coker and Gen. Paul Nakasone, who stepped down Friday as director of the National Security Agency and commander of U.S. Cyber Command, outlined the threat in stark detail.
Easterly warned the goal of the campaign was to crush the will of American citizens to enable a military response in the event of a PRC military attack in the Asia-Pacific region.
“This is truly an Everything Everywhere, All at Once scenario,” Easterly said during the hearing. “And it's one where the Chinese government believes that it will likely crush American will for the U.S. to defend Taiwan in the event of a major conflict there.”
Mandiant officials said the actions by Volt Typhoon is similar to threat activity seen during the Ukraine conflict, to potentially disrupt a military response by attacking critical infrastructure
“Specifically, Volt Typhoon is gathering information on, and even penetrating, operational technology systems —- the highly sensitive systems that run the physical processes at the heart of critical infrastructure,” John Hultquist, chief analyst, Mandiant Intelligence, Google Cloud, said Wednesday in a statement. “Under the right conditions, OT systems could be manipulated to cause major shutdowns of essential services, or even to create dangerous conditions.”
Microsoft warned in May 2023 that Volt Typhoon was abusing SOHO devices, including internet facing Fortinet Fortiguard environments to gain initial access and abuse other networking equipment.
Researchers from Security Scorecard issued a report last month showing Volt Typhoon compromised a subset of Cisco RV320/325 devices over a 37-day period from Dec. 1 to Jan. 7, using two old vulnerabilities, listed as CVE-2019-1653 and CVE-2019-1652.
Black Lotus Labs in December published a report that highlights threat activity linked to the KV Botnet. The activity noted in the report dates back to February 2022, and included the use of Netgear ProSafe firewalls acting as relay nodes in connection with Volt Typhoon activity.
CISA is urging technology companies to make major changes in how they develop and configure software and other products in order to make sure they are as secure as possible against potential compromise.
This includes the use of more secure programming languages, ending the use of default passwords and setting up multifactor authentication.