Volt Typhoon A multi year Chinese Cyber Assault on Critical Infrastructure

In a very public fashion, FBI Director Christopher Wray recently discussed the extent of China’s ongoing hacking campaign, known as Volt Typhoon. The campaign, as reported by Reuters on April 18th, 2024, has targeted numerous American companies operating in critical sectors such as telecommunications, energy, water, and more. Wray highlighted that 23 pipeline operators have been among the primary targets, underscoring the severity of the threat posed by this insidious cyber operation.

“[China’s] plan is to land low blows against civilian infrastructure to try to induce panic,” remarked FBI Director Christopher Wray, shedding light on the malicious intent behind China’s concerted efforts to infiltrate vital systems that underpin the nation’s security and economy.

However, Volt Typhoon is not a novel attack orchestrated by China’s cyber apparatus. In fact, it represents the culmination of a multi-year effort by state-sponsored Chinese actors to undermine American cybersecurity defenses and sow chaos within critical infrastructure networks.

As early as June 2023, a Joint Cybersecurity Advisory titled “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection” was published. This advisory served as a stark warning, signaling the persistent and evolving nature of China’s cyber threat landscape. The term “living off the land” refers to the tactic employed by cyber adversaries to leverage legitimate system tools and processes to evade detection by traditional security measures, making their malicious activities harder to detect and mitigate.

The implications of Volt Typhoon extend far beyond cybersecurity. By targeting essential sectors such as telecommunications, energy, and water, China’s hacking campaign strikes at the heart of America’s critical infrastructure, posing a grave risk to national security and public safety.

 The infiltration of 23 pipeline operators underscores the potential for catastrophic consequences should these attacks succeed in disrupting the flow of vital resources. The specter of panic looms large, as the integrity and reliability of essential services hang in the balance.

To combat the growing threat posed by Volt Typhoon and similar cyber offensives, a concerted effort is required and currently ongoing from government agencies, private sector entities, and cybersecurity experts. Collaboration and information sharing are paramount, as adversaries continue to exploit vulnerabilities and adapt their tactics to evade detection.

While enterprises and government agencies have endpoint detection capabilities, malicious actors continue to leverage Defense Evasion tactics (MITRE ATT&CK ID: TA0005) to bypass endpoint security technology. As seen in the Conti Leaks (page 7), malicious actors purchase endpoint security technologies and use them to test their malware before infecting a victim organization. Machine learning, behavioral analysis, and signatures require significant learning periods, having seen the malware multiple times before they can detect new variants of ransomware and wipers.

Investments in cybersecurity infrastructure, threat intelligence capabilities, and workforce training are essential to fortify defenses and enhance resilience against sophisticated cyber threats.

Director Wray’s ongoing public discussions of China’s ongoing hacking campaign, Volt Typhoon, serves as a sobering reminder of the ever-present dangers lurking in cyberspace.

For TTPs, IOCs, MITRE ATT*CK Techniques and more, visit the Joint Cybersecurity Advisory (TLP:CLEAR): https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF