Chinese hackers have maintained “access and footholds” within critical U.S. infrastructure systems for “at least five years” before they were finally discovered, according to a new report from the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and “partners,” such as the U.S. Department of Energy (DOE), the Environmental Protection Agency (EPA), the Transportation Security Administration (TSA), and “Five Eyes” security groups from the allied nations of Australia, Canada, New Zealand and the U.K..
A Joint Cybersecurity Advisory was issued with a dire warning to critical infrastructure organizations: “People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”
The “PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus)” has “compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam,” the U.S. authoring agencies have confirmed.
“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations,” the advisory reads, “and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.”
According to the advisory, Volt Typhoon “relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence.”
“In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” according to CISA. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”
In a press release, CISA explained that PRC actors such as Volt Typhoon employ “sophisticated types of techniques” known as “living off the land.”
“By using ‘living off the land’ techniques, PRC cyber actors blend in with normal system and network activities, avoid identification by network defenses, and limit the amount of activity that is captured in common logging configurations,” the release states.
The techniques are used to “abuse legitimate, native tools and processes on systems, and identifies specific details on the actors’ tactics, techniques, and procedures (TTPs) using certain adversarial behavior patterns.”
According to CISA Director Jen Easterly, what they’ve managed to discover is “likely the tip of the iceberg.”
“The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” Easterly said.
“Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders,” she continued. “We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”
As BizPac Review reported, last week, FBI Director Christopher Wray sounded similar alarms before the House Select Committee during a hearing titled “The Chinese Community Party Cyber Threat to the American Homeland and National Security.”
Wray sounds alarm over Chinese hackers preparing to ‘wreak havoc’ on US citizens, infrastructure https://t.co/RlTapBuyhO via @BIZPACReview — BPR based (@DumpstrFireNews) January 31, 2024
“There has been far too little public focus on the fact that People’s Republic of China hackers are targeting our critical infrastructure – our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems. And the risk that poses to every American requires our attention – now,” Wray warned lawmakers. “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”
According to the FBI chief, Chinese hackers are hitting us every single day, “actively attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data.”
“And they don’t just hit our security and economy,” Wray said. “They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents.”