US says China's Volt Typhoon is readying destructive cyberattacks
12 international govt agencies sound the alarm, critical infrastructure at the heart of threats
The US government today confirmed China's Volt Typhoon crew comprised "multiple" critical infrastructure orgs' IT networks in America – and Uncle Sam warned that the Beijing-backed spies are readying "disruptive or destructive cyberattacks" against those targets.
The Chinese team remotely broke into IT environments — primarily across communications, energy, transportation systems, and water and wastewater system sectors — in the continental and non-continental United States and its territories, including Guam.
"Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," a dozen Five Eyes government agencies warned on Wednesday.
The authoring agencies are: the US Cybersecurity and Infrastructure Security Agency (CISA), US National Security Agency (NSA), US Federal Bureau of Investigation (FBI), US Department of Energy (DOE), US Environmental Protection Agency (EPA), US Transportation Security Administration (TSA), Australian Signals Directorate's (ASD's) Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE), United Kingdom National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ).
According to the US agencies, Volt Typhoon will likely use any network access it can get to pull off disruptive attacks against American systems and equipment in the event of geopolitical tensions or military conflicts.
This follows last week's similar warning from FBI Director Christopher Wray that Chinese attackers are preparing to "wreak havoc" on American infrastructure, and the Justice Department's disclosure that Volt Typhoon infected "hundreds" of outdated Cisco and Netgear equipment with malware in an attempt to break into US critical infrastructure facilities.
- Congress told how Chinese goons plan to incite 'societal chaos' in the US
- FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet
- US shorts China's Volt Typhoon crew targeting America's criticals
- Is critical infrastructure prepared for OT ransomware?
While the threat to American critical infrastructure appears to be the highest, should US facilities be disrupted, "Canada would likely be affected as well, due to cross-border integration," according to CCCS.
Australian and New Zealand critical infrastructure could be vulnerable as well.
In addition to sounding the alarm, the government bodies issued a long list of technical details, TTPs observed in the digital break-ins, and detection recommendations and best practices.
Plus, there's three actions that owners and operators should take "today" to mitigate the threat.
These include: Apply patches for internet-facing systems with priority given to appliances that Volt Typhoon likes to exploit.
Second: Turn on phishing-resistant multi-factor authentication (MFA).
And finally, ensure that logging is turned on for applications, access and security logs, and store these logs in a centralized system. ®