The Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and various other domestic and international agencies, have issued a warning to leaders in critical infrastructure.
The advisory urges them to take necessary measures to protect their systems against the Chinese hacking group known as Volt Typhoon.
CISA, NSA, FBI, and Others from Five Eyed Partner Countries Issue Advisory on Securing Critical Infrastructure
In collaboration with the NSA, FBI, and other U.S. government agencies, as well as cybersecurity agencies from Five Eyes partner countries (Australia, Canada, the United Kingdom, and New Zealand), have provided valuable defense tips to help detect and defend against Volt Typhoon attacks.
In a recent warning, it was revealed that Chinese hackers successfully infiltrated multiple critical infrastructure organizations in the U.S. These hackers managed to maintain their access to at least one of these organizations for a staggering five years before being discovered.
Authorities have noted that the tactics and targets of the cyber espionage group, Volt Typhoon, deviate from typical activities. This suggests that their main objective is to gain access to Operational Technology (OT) assets within networks. If successful, they could exploit these assets to disrupt critical infrastructure.
The U.S. authorities are particularly concerned that this Chinese group may exploit their access to further disrupt critical infrastructure. This could potentially occur during military conflicts or periods of geopolitical tensions.
The dvisory emphasizes the importance of empowering cybersecurity teams to make informed decisions regarding resource allocation. This will enable organizations to effectively secure their supply chain and align performance management outcomes with their cybersecurity goals.
“Key best practices for your cybersecurity teams includes ensuring logging, including for access and security, is turned on for applications and systems and logs are stored in a central system. Robust logging is necessary for detecting and mitigating living off the land,”
“Ask your IT teams which logs they maintain as certain logs reveal commands (referenced in the CSA) used by Volt Typhoon actors. If your IT teams do not have the relevant logs, ask which resources they may need to effectively detect compromise.”
The joint guidance says.
The Volt Typhoon Cyber Syndicate
The hacking group known as Volt Typhoon, also identified as Bronze Silhouette, has been actively targeting and infiltrating critical infrastructure organizations in the United States since at least mid-2021. To conceal their malicious activities and avoid detection, the Chinese hackers utilized a botnet called KV-botnet, consisting of numerous small office/home office (SOHO) devices across the country.
In December, the FBI successfully disrupted the KV-botnet operated by the group. Despite their efforts, the hackers were unable to rebuild the botnet after Lumen’s Black Lotus Labs disrupted the remaining command and control (C2) servers and payload servers.
Following the dismantling of the KV-botnet, both CISA and the FBI have strongly encouraged manufacturers of small office/home office (SOHO) routers to enhance the security of their devices against Volt Typhoon attacks.
They emphasize the importance of implementing secure configuration defaults and eliminating any vulnerabilities in the web management interface during the development process. This proactive approach will help safeguard SOHO routers from potential exploits by the hacking group.