Federal agencies called on all organizations today to urgently implement a series of cybersecurity actions after discovering that a Chinese-based hacking group has compromised the IT environments of multiple U.S. critical infrastructure organizations – with the end goal of a future cyberattack.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), FBI, Department of Energy (DoE), Environmental Protection Agency (EPA), and Transportation Security Administration (TSA) issued a joint cybersecurity advisory today – along with four international partners – on the malicious cyber activity, as well as joint guidance to provide threat detection information and mitigations.
The advisory explains that a People’s Republic of China (PRC) state-sponsored cyber actor, known as Volt Typhoon, has maintained footholds in some victim IT environments “for at least five years.” The warning comes after the agencies first flagged Volt Typhoon activity in May 2023 and after last week’s hearing on the threat.
“Our evidence strongly suggests that the PRC actors are pre-positioning to launch future disruptive or destructive cyberattacks that could cause impact to national security, economic security, or public health and safety,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, told reporters today.
Goldstein explained that Volt Typhoon is using “living off the land techniques” to avoid detection, which means the actors are using legitimate credentials and network or administrative management tools.
Because these techniques make it more difficult for network defenders to detect this activity, Goldstein said there may be “a significant number of victimized organizations around the country” that still need to identify and remediate these intrusions.
“It’s for this reason,” Goldstein said, that the agencies released “a set of joint guidance focused on detecting and mitigating living off the land activity more generally, whether perpetrated by Volt Typhoon actors or other malicious actors.”
Cynthia Kaiser, deputy assistant director of the Cyber Division at the FBI, told reporters that Volt Typhoon’s targets include numerous sectors, including communications, manufacturing, utilities, transit, transportation, construction, maritime, government IT, and education.
The group is targeting major critical infrastructure – such as the electrical grid, water treatment plants, oil and natural gas pipelines, and transportation systems – something Kaiser said “is really concerning.”
“The way many of these compromises were shaped, like specifically seeking access to operational networks, indicates the only reasonable intention by the government of China was to precondition or learn useful information in pursuit of a future cyberattack,” Kaiser said.
“But perhaps even more concerning is that Volt Typhoon is certainly not the only Chinese group conducting this type of activity,” she stressed.
Kaiser said that the only way the FBI knows about “many critical infrastructure entities compromised by the Chinese” is because of FBI Foreign Intelligence Surveillance Act (FISA) and Section 702 collection.
“It is imperative that net defenders review the mitigation guidance contained in the advisory and guide and contact the FBI or our U.S. government partners if you suspect any malicious activity,” she said.
Specifically, the guidance calls out three critical actions for network defenders to take today:
- Apply patches for internet-facing systems, prioritizing patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon;
- Implement phishing-resistant multi-factor authentication (MFA); and
- Ensure logging is turned on for application, access, and security logs and store logs in a central system.
“The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” said CISA Director Jen Easterly.