China’s Volt Typhoon advanced persistent threat (APT) [1], also known as “Voltzite,” has been actively targeting operational technology (OT) networks in critical infrastructure, including electric companies in the US [5]. The US government has expressed concern that Volt Typhoon is pre-positioning itself to disrupt the power grid in the event of military conflict [1]. In fact, the Five Eyes intelligence alliance has recently warned that Volt Typhoon has been preparing for disruptive or destructive cyberattacks against US critical infrastructure [3].
Description
China’s Volt Typhoon APT [1], also known as “Voltzite,” has been targeting operational technology (OT) networks in critical infrastructure [1], specifically electric companies in the US. The US Justice Department and FBI have taken action to disable portions of the compromised network used by Volt Typhoon [5], which had been forming a botnet by compromising vulnerable devices [5]. While their primary focus is compromising physical industrial control systems (ICSes) at electric-sector targets [1], their incursions have been limited to IT networks [1]. The US government is concerned that Volt Typhoon is positioning itself to disrupt the power grid in the event of military conflict [1]. The Five Eyes intelligence alliance has also warned of Volt Typhoon’s preparations for disruptive or destructive cyberattacks against US critical infrastructure [3]. Additionally, Volt Typhoon has targeted telecom providers [1], military bases [1] [5], and the United States emergency management organization [1].
Another cybersecurity firm [3], Dragos [3], has reported on a group called Voltzite [3], which shares similarities with Volt Typhoon [3]. Voltzite has targeted sites in Guam and compromised a large US city’s emergency services network [3]. This suggests that China’s hackers are positioning themselves on American infrastructure to cause harm to American citizens and communities [3] [5].
It is crucial for organizations to implement strong cybersecurity measures to protect against this threat [1]. While Volt Typhoon has not yet demonstrated the ability to disrupt ICS/OT assets or operations, their ability to infiltrate and remain hidden for extended periods poses a significant risk. They employ legitimate tools and living off the land (LotL) techniques to avoid detection [1], making proactive cybersecurity efforts even more important.
The Chinese government’s Volt Typhoon spy team has also been observed targeting American telecommunications providers. In one instance [2], Volt Typhoon compromised a US electric company’s IT network for over 300 days before being detected [2]. Although they did not infiltrate the operational technology network [2], they were able to steal geographic information systems’ data that could be used for future disruptive attacks [2]. The Chinese spies have compromised various devices and software [2], including Fortinet FortiGuard [2], PRTG Network Monitor appliances [2], ManageEngine ADSelfService Plus [2], FatePipe WARP [2], Ivanti Connect Secure VPN [2], and Cisco ASA [2]. They gain access to victims’ IT networks through buggy routers or VPN gateways and then use stolen credentials to move laterally through the network [2].
The FBI recently disrupted a cyber-attack plot by Chinese government-sponsored hackers known as “Volt Typhoon” or “Bronze Silhouette.” These hackers were planning to target American infrastructure [4], including water treatment plants [4], electrical grids [4], oil and gas pipelines [4], and transportation systems [4]. The attackers used a sophisticated technique [4], infecting small office/home office (SOHO) routers with malware to disguise their activities [4]. The FBI successfully removed the malware from these routers [4], cutting off communication between them and the botnet’s devices [4]. FBI Director Christopher Wray emphasized the severity of the situation [4], urging Congress to invest in cyber capacity [4]. The Chinese Foreign Ministry denied the allegations [4], but Wray stressed the need to protect American infrastructure [4]. The actions by the FBI highlight the ongoing challenges of state-sponsored hacking and the importance of increased cybersecurity measures [4].
Conclusion
The activities of China’s Volt Typhoon APT pose a significant threat to critical infrastructure in the US. Their targeting of operational technology networks [1], including electric companies [5], and their potential to disrupt the power grid in the event of military conflict are causes for concern. The recent warnings from the Five Eyes intelligence alliance and the actions taken by the FBI to disrupt Volt Typhoon’s cyber-attack plot highlight the need for organizations to implement strong cybersecurity measures. The ability of Volt Typhoon to infiltrate and remain hidden for extended periods, as well as their use of legitimate tools and techniques to avoid detection, make proactive cybersecurity efforts crucial. The ongoing challenges of state-sponsored hacking underscore the importance of increased cybersecurity measures to protect American infrastructure.
References
[1] https://www.darkreading.com/vulnerabilities-threats/volt-typhoon-hits-multiple-electric-cos-expands-cyber-activity
[2] https://cyber.vumetric.com/security-news/2024/02/14/china-s-volt-typhoon-spies-broke-into-emergency-network-of-large-us-city/
[3] https://fortune.com/2024/02/15/volt-typhoon-voltzite-china-hackers-us-critical-infrastructure/
[4] https://blog.tosibox.com/defending-against-cyber-threats-fbi-thwarts-chinese-hacking-ring
[5] https://thecyberwire.com/newsletters/control-loop/3/2
