TLDR: China’s advanced persistent threat group, Volt Typhoon, has shifted its focus from conventional espionage to targeting critical infrastructure in the United States, including communications, manufacturing, utilities, and transportation. The group’s tactics and techniques have allowed it to repeatedly breach defenses with ingenuity. China’s cyber adversaries can inflict significant damage on a nation’s infrastructure, as seen during the 2008 Russia-Georgia conflict. To defend against Volt Typhoon and similar threats, organizations should implement detailed logging, establish network baselines, adhere to risk management frameworks, prioritize patch management, and embrace comprehensive security frameworks such as NIST’s Cybersecurity Framework and the DoD’s CMMC program.
China’s advanced persistent threat group, Volt Typhoon, has shifted its focus from conventional espionage to targeting critical infrastructure in the United States, such as communications, manufacturing, utilities, and transportation. Volt Typhoon’s tactics, techniques, and procedures (TTPs) have allowed the group to repeatedly breach defenses with ingenuity over a five-year period. This strategic shift indicates that China is preparing for disruption in the event of significant conflict or crisis.
There are unsettling implications when investigating past events. The 2003 Northeast blackout, previously attributed to technical failures, may have involved the use of a Chinese-deployed cyber worm known as “Welchia.” This discovery paints a picture of a long-engaged and potent adversary capable of disrupting critical U.S. infrastructure. Similarly, during the 2008 Russia-Georgia conflict, cyber-reconnaissance and attacks preceded conventional warfare, resulting in the decimation of Georgia’s critical infrastructure through Denial-of-Service (DoS) attacks.
To defend against APT groups like Volt Typhoon, organizations should implement best practices recommended by the Cybersecurity and Infrastructure Security Agency (CISA). These practices include detailed logging, storing logs in a centralized location with write-once, read-many capabilities, establishing network baselines, applying least privilege restrictions, and prioritizing risk management frameworks. Regular audits, penetration testing, and adherence to risk management best practices are crucial for maintaining a robust defense against living-off-the-land (LOTL) attacks.
The adoption of a zero-trust architecture is imperative, as it revolutionizes how access to IT resources is granted and monitored. This approach ensures authorized individuals have access to resources just-in-time (JIT), minimizing attack surfaces. Ongoing maintenance and swift response to threats are also essential for effective security. Prioritizing patch management based on risk and focusing on critical assets with the highest attack risk can help mitigate the damage caused by vulnerabilities.
Comprehensive security frameworks such as NIST’s Cybersecurity Framework and the DoD’s Cybersecurity Maturity Model Certification (CMMC) program can provide systematic guidance for defense enhancement. NIST’s Special Publication 800-53, particularly relevant to federal agencies that need to comply with FISMA, offers 160 security controls to implement risk management techniques. The CMMC, built upon NIST guidelines, sets the standard for third-party contractors working with the Defense Department in critical infrastructure and operational technology fields.
Improving security measures in both government agencies and the private sector is crucial. Risk management must become a foundational element of strategic cybersecurity planning. By acknowledging the severity of the threat and taking decisive steps to bolster defenses, organizations can protect critical infrastructure and enhance overall cybersecurity resilience.