The US government and its allies have issued a warning about the potential for destructive cyber-attacks from Chinese state hackers on critical infrastructure sectors in the event of a military conflict. The warning comes from multiple agencies including the FBI, NSA, and CISA, as well as international partners such as the UK’s National Cyber Security Centre (NCSC). The advisory highlights the activities of the Chinese threat group Volt Typhoon, which has positioned itself in sectors including communications, energy, transportation, and water and wastewater. The US Cybersecurity and Infrastructure Security Agency (CISA) has urged all critical infrastructure organizations to review and implement the recommended actions listed in the advisory and to report any suspicious activity related to Volt Typhoon.
The joint advisory emphasizes that the cyber threat from China is real and states that “CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors.” However, the agencies believe that the incidents observed so far are likely just the tip of the iceberg. In response to the threat, the US government announced that it had disabled hundreds of routers compromised by Volt Typhoon in an effort to dismantle the group’s attack infrastructure.
China’s Ministry of State Security (MSS) is believed to be behind Volt Typhoon, which has been active since at least 2021. In October 2023, Microsoft warned that Chinese hacking groups, including Volt Typhoon, were ready to launch destructive attacks on critical infrastructure after successfully targeting it.
The joint advisory also warns of China’s advanced use of “living-off-the-land” techniques, which allow threat actors to blend in with normal system activities and avoid detection. To help organizations identify and mitigate these techniques, the Five Eyes allies released additional guidance, including implementing logging and aggregate logs in an “out-of-band” centralized location, establishing baselines of normal activity, reducing alert noise, implementing application allow-listing, enhancing network segmentation and monitoring, deploying authentication controls, and using user and entity behavior analytics (UEBA).
The UK’s NCSC director of operations, Paul Chichester, emphasized the importance of organizations applying the protections and guidance provided to detect and mitigate any malicious activity found on their networks.
Commenting on the advisory, Paul Laudanski, director of security research at Onapsis, said that while the framework provided solid security best practices, organizations should broaden their scope beyond the highlighted areas to include overlooked vulnerabilities. He also warned against potential decoy attacks that could mask more insidious breaches.