Six US government agencies have joined three international partners to warn that attackers from the Volt Typhoon threat group are seeking to “pre-position” themselves for “disruptive or destructive” attacks against US infrastructure.
The Chinese state-sponsored threat group has already compromised systems in the communications, energy, transport, and water and wastewater sectors, the Cyber and Infrastructure Security Agency (CISA) said in a report.
The new warning comes days after the US announced it had disrupted a Volt Typhoon operation.
The US agencies leading the response – CISA, the FBI, and the National Security Agency – said they’ve seen indications that Volt Typhoon actors have maintained access in some targets “for at least five years”.
The attackers spend “extensive pre-exploitation reconnaissance” to study the target’s environment, letting them “tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”
The agencies have published a separate document outlining how organisations can mitigate these “living off the land” techniques.
“Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment,” the advisory stated.
Because the focus is maintaining access rather than conducting attacks, the agencies believe the attackers intend to avoid detection until there’s a major conflict between North America and China, at which point they would be in a position to exploit their access.
That puts a premium on target organisations’ logging: one of the key recommendations in the mitigation advice is that organisations collect comprehensive logs that they keep in an out-of-band environment “to enable behaviour analytics, anomaly detection, and proactive hunting.”
As well as the three US lead agencies, the US Department of Energy, Environmental Protection Agency, and the Transport Safety Administration contributed to the report, along with international partners from Canada (the Canadian Centre for Cyber Security), the UK (the National Cyber Security Centre), New Zealand (the National Cyber Security Centre), and Australia (the Australian Signals Directorate).