In the shadowy realm of cyber warfare, a formidable force has emerged out of China: an advanced persistent threat (APT) group known as Volt Typhoon. The group's recent activities represent a concerning strategic shift from conventional espionage to preparing for disruption in the event of significant conflict or crisis.
When examining the nature of their attacks on U.S. soil and territories, the targeted verticals reveal a deliberate undermining of critical lifelines and infrastructure: communications, manufacturing, utilities, and transportation just for starters. So advanced are Volt Typhoon's techniques, tactics, and procedures (TTPs) that they have repeatedly breached defenses with startling ingenuity over the past five years.
The narrative becomes more chilling when we investigate past events. The 2003 Northeast blackout, previously explained by authorities as a cascade of “technical failures,” may harbor a more sinister subplot: a Chinese-deployed cyber worm, known as “Welchia,” potentially exacerbated or synchronized with the grid's turmoil. My team's discovery of this network threat in the early 2000s paints a portrait of a long-engaged Chinese cyber adversary capable of potent systemic disruption to critical U.S. infrastructure.
This complex set of cyber intrusions also echoes the strategies employed during the 2008 Russia-Georgia conflict, where cyber-reconnaissance and attacks preceded boots on the ground, decimating Georgia’s critical infrastructure with Denial-of-Service (DoS) attacks as part of Russia’s military tactics. This significant moment in cyber warfare illustrated the devastation cyber adversaries can inflict on a nation’s critical infrastructure in tandem with conventional warfare tactics.
How cyber risk management can help against Volt Typhoon
APT groups like Volt Typhoon are increasingly using living-off-the-land (LOTL) attacks. In response, the Cybersecurity and Infrastructure Security Agency (CISA) has recently outlined best practice recommendations for agencies and organizations to detect and address LOTL attacks.
CISA advises implementing detailed logging and ensuring logs are stored in a centralized location with write-once, read-many capabilities to prevent attackers from modifying or erasing them. Additionally, establishing baselines of network, user, administrative and application activity, along with least privilege restrictions, is crucial for maintaining a robust defense against LOTL techniques.
To mitigate these risks and strengthen their defenses, government agencies and organizations must also prioritize risk management frameworks. Regular audits, penetration testing, and adherence to risk management best practices are essential to ensuring the reasonable hardening of networks and systems. Moreover, the move towards a zero-trust architecture has become imperative, as it represents an important strategic shift in how access to IT resources gets granted and monitored just-in-time (JIT) when required by authorized individuals.
Security extends beyond design and setup: it includes ongoing maintenance and swift response to threats. Our recent 2023 Qualys TruRisk Research Report found that vulnerabilities take on average over 30 days to patch, with attackers often weaponizing them within a shorter time frame (19.5 days). This delay creates opportunities for nation-state actors such as China to cause damage and disruption. Therefore, it's crucial for government and private sector security teams to proactively manage patches using risk prioritization, focusing on the most critical assets with the greatest attack risk first, to de-risk agencies and organizations effectively.
Operational security can protect critical infrastructure
Embracing comprehensive security frameworks like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) program can offer systematic guidance for defense enhancement.
NIST’s Special Publication 800-53 offers a comprehensive set of 160 security controls that delve into implementing risk management techniques. This publication is particularly beneficial for federal agencies and organizations that require compliance with the Federal Information Security Management Act (FISMA).
However, when it comes to third-party contractors working with the Defense Department, the CMMC sets the standard. Built upon the foundation of NIST guidelines, CMMC incorporates processes that ensure operational security is not just a policy but a practice.
These processes are essential in critical U.S. infrastructure and operational technology fields, where the CMMC's guidelines cover tactical, strategic, and operational needs, thereby enhancing the protection of sensitive, unclassified information shared with contractors and subcontractors.
We can’t understate the urgency for improved security measures; risk management must become a foundational element of strategic cybersecurity planning for government agencies and the private sector. Taking decisive steps towards bolstering our nation's defenses and embracing a proactive security culture within government and other organizations ensure that we can protect our critical infrastructure. Let’s start by first acknowledging the severity of the threat – and doing something about it.
Ken Dunham, director, cyber threats, Qualys Threat Research Unit