CISA, the NSA, the FBI, and several other agencies in the U.S. and worldwide warned critical infrastructure leaders to protect their Chinese Volt Typhoon hacking group.
Together with the NSA, the FBI, other U.S. government agencies, and partner Five Eyes cybersecurity agencies, including cybersecurity agencies from Australia, Canada, the United Kingdom, and New Zealand, it also issued defense tips on detecting and defending against Volt Typhoon attacks.
Last month, they also warned that Chinese hackers had breached multiple U.S. critical infrastructure organizations and maintained access to at least one of them for at least five years before being discovered.
Authorities have observed that the cyber espionage group Volt Typhoon’s targets and tactics differ from typical activities, suggesting their goal is to obtain access to Operational Technology (OT) assets within networks, which could be exploited to disrupt critical infrastructure.
U.S. authorities are concerned that this Chinese group may exploit such access to further disrupt critical infrastructure and cause disruptions during military conflicts or geopolitical tensions.
Today, CISA and partner U.S. government agencies (including the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, and the Department of Treasury) advised critical infrastructure leaders to empower their cybersecurity teams to make informed resourcing decisions, secure their supply chain, and ensure that performance management outcomes align with their organization’s cyber goals.
“Key best practices for your cybersecurity teams includes ensuring logging, including for access and security, is turned on for applications and systems and logs are stored in a central system. Robust logging is necessary for detecting and mitigating living off the land,” the joint guidance says [PDF].
“Ask your IT teams which logs they maintain as certain logs reveal commands (referenced in the CSA) used by Volt Typhoon actors. If your IT teams do not have the relevant logs, ask which resources they may need to effectively detect compromise.”
Also tracked as Bronze Silhouette, Volt Typhoon has been targeting and breaching U.S. critical infrastructure organizations since at least mid-2021.
The Chinese hackers also used a botnet of hundreds of small office/home offices (SOHO) across the U.S. (dubbed KV-botnet) throughout their attacks to hide their malicious activity and evade detection.
The FBI disrupted the group’s KV-botnet in December, but the hackers failed to rebuild it after Lumen’s Black Lotus Labs sinkholed the remaining C2 and payload servers.
After KV-botnet was dismantled, CISA and the FBI urged SOHO router manufacturers to secure their devices against Volt Typhoon attacks by using secure configuration defaults and eliminating web management interface flaws during development.