The Volt Typhoon cyberattack about a week or so ago on the militarily strategic U.S. territory of Guam serves as a wake-up call for all cybersecurity leaders managing industrial installations and other critical infrastructure on the U.S. mainland.The same Chinese state-backed group behind Volt Typhoon has been known to have been silently monitoring U.S. critical infrastructure since at least 2021. Recall, for example, when top secret data stolen from the U.S. defense contractors Lockheed Martin and Boeing was used to build the People’s Liberation Army’s FC-31 Stealth Fighter.The Guam breach in the South Pacific by Volt Typhoon was a “living-off-the-land” attack. Unlike traditional attacks, “living off the land” attacks are fileless: there’s no need for attackers to trick the target into installing any malware to execute. Instead, “living-off-the-land” attacks leverage existing system software to do damage, making intrusion far harder to detect.Though Volt Typhoon activity has been observed as far back as mid-2021, it’s plausible that the group has been active in the shadows for considerably longer. Even the group’s name could cause confusion. While Microsoft offered up the cool Volt Typhoon name after spotting the group’s activity, it doesn’t tell us anything about their profile. For security teams trying to understand the big picture, cybersecurity’s lack of standardized naming conventions could make potentially related breaches appear as isolated incidents by disparate groups, rather than the result of ongoing, synchronized, state-sponsored programs. Keeping the rainbow out of reachThe threats posed by emerging state-sponsored threat actors are often misunderstood, from China and beyond. But they are very real risks. The covert installation of “sleeper software” in a system lets a threat actor execute a future attack, a digital echo of Cold War-era fears that “sleeper” saboteurs from the Soviet Union were laying the groundwork for future attacks. Like an assassin with a civilian cover, sleeper software can sit unnoticed in a system for years. Then, when a state decides to strike, they can execute the sleeper software as part of a synchronized attack on military installations, power grids, communications systems, hospitals, industrial plant`s — or any other infrastructure of strategic significance.For security leaders, here’s the reality: if a state-sponsored actor wants to breach an organization, it’s impossible to have 100% certainty that the security team at the target company has blocked and will continue to block all of their efforts. State-sponsored groups have the resources, skills and time to methodically dissect the defenses of important targets. They can even breach air gaps. They’ll find a way in eventually.Security teams must recognize this and focus on measures to mitigate the impact if a breach does occur. Network segregation and the ability to isolate affected aspects of an environment can make it easier to effectively contain an incident. Make it harder for them to reach the end of the rainbow. Even the following best practices — which might seem obvious to some, but are absent in many organizations — can prevent or slow down an attacker.Some of these best practices include: multi-factor authentication; strong password enforcement with a 90-day reset policy; setting to permit-only approved software on company assets; and employee training – such as phishing exercises.Despite high-profile state-sponsored attacks, most CISOs focus on mitigating the “spray and pray” approaches of financially-motivated actors responsible for the vast majority of known breaches. These threat actors, such as ransomware groups, seek quick payouts to maximize profits. But state-sponsored actors can bide their time.
Threat Management, Critical Infrastructure Security
The Volt Typhoon wake-up call

Today’s columnist, Ronen Ahdut of Cynet, writes that Volt Typhoon’s recent cyberattack on the strategic island of Guam should serve as a wake-up call to all security pros who manage critical infrastructure. (Stock Photo, Getty Images)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds