Executive Summary
In May 2023, Microsoft and U.S. intelligence agencies identified a Chinese state-sponsored cyber group, Volt Typhoon, infiltrating critical infrastructure sectors in the United States, including communications, manufacturing, utilities, and transportation. Active since mid-2021, Volt Typhoon employed 'living-off-the-land' techniques, utilizing legitimate system tools to evade detection, and targeted systems in Guam, a strategic U.S. military hub. The group's activities aimed to gather intelligence and potentially disrupt critical communications between the U.S. and Asia during future crises. (techspot.com)
This incident underscores the persistent threat posed by state-sponsored cyber actors to national security. The use of stealthy techniques by Volt Typhoon highlights the need for enhanced detection and response capabilities within critical infrastructure sectors to mitigate potential disruptions and safeguard sensitive information.
Why This Matters Now
The Volt Typhoon incident highlights the ongoing and evolving threat of state-sponsored cyberattacks targeting critical infrastructure. As geopolitical tensions persist, the potential for such cyber operations to disrupt essential services and communications remains a significant concern, necessitating continuous vigilance and robust cybersecurity measures.
Attack Path Analysis
Volt Typhoon, a Chinese state-sponsored threat actor, initiated access to U.S. critical infrastructure by exploiting vulnerabilities in internet-facing Fortinet FortiGuard systems. Once inside, they escalated privileges by extracting credential hashes and moving them to remote locations for cracking. Utilizing 'living-off-the-land' techniques, they moved laterally across networks using legitimate administrative tools. They established command and control by routing traffic through compromised small office/home office (SOHO) network devices to obfuscate their origins. Data exfiltration was conducted by leveraging existing system features to transfer sensitive information without detection. The impact included prolonged undetected access, positioning for potential disruption of critical services.
Kill Chain Progression
Initial Compromise
Description
Volt Typhoon exploited vulnerabilities in internet-facing Fortinet FortiGuard systems to gain initial access to U.S. critical infrastructure networks.
MITRE ATT&CK® Techniques
Valid Accounts
Application Layer Protocol
Compromise Infrastructure: Network Devices
Supply Chain Compromise
Standard Application Layer Protocol
Spoof Reporting Message
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Cryptographic Key Establishment and Management
Control ID: SC-12
PCI DSS 4.0 – Cryptographic Key Management
Control ID: 3.6
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 10
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA Zero Trust Maturity Model 2.0 – Data Protection
Control ID: Pillar 3: Data
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure faces state-sponsored targeting with legacy OT systems lacking post-quantum cryptographic readiness, enabling harvest-now-decrypt-later attacks on power grids.
Oil/Energy/Solar/Greentech
Energy sector's interconnected OT environments vulnerable to Volt Typhoon-style infiltration, with encrypted traffic inspection gaps enabling long-term adversary positioning.
Government Administration
Regulatory frameworks demanding cryptographic attestations without adequate OT tooling create false security assurance while critical infrastructure remains exposed to quantum threats.
Industrial Automation
Manufacturing control systems with embedded firmware cryptography face post-quantum migration challenges, lacking processing power for modern encryption while maintaining availability requirements.
Sources
- Empty Attestations: OT Lacks the Tools for Cryptographic Readinesshttps://www.darkreading.com/ics-ot-security/ot-lacks-tools-cryptographic-readinessVerified
- Volt Typhoon targets US critical infrastructure with living-off-the-land techniqueshttps://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/Verified
- U.S. and International Partners Publish Cybersecurity Advisory on People’s Republic of China State-Sponsored Hacking of U.S. Critical Infrastructurehttps://www.cisa.gov/news-events/news/us-and-international-partners-publish-cybersecurity-advisory-peoples-republic-china-state-sponsoredVerified
- Chinese state hackers infect critical infrastructure throughout the US and Guamhttps://arstechnica.com/information-technology/2023/05/chinese-state-hackers-infect-critical-infrastructure-throughout-the-us-and-guam/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in internet-facing systems would likely be constrained, reducing the risk of initial unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by accessing and transferring credential hashes would likely be constrained, reducing the risk of unauthorized privilege elevation.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally across networks using legitimate tools would likely be constrained, reducing the risk of widespread network compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels through compromised devices would likely be constrained, reducing the risk of persistent external communication.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data using existing system features would likely be constrained, reducing the risk of data loss.
The attacker's ability to maintain prolonged undetected access and position for service disruption would likely be constrained, reducing the risk of significant operational impact.
Impact at a Glance
Affected Business Functions
- Power Distribution
- Water Treatment
- Transportation Management
- Communication Networks
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of operational data related to critical infrastructure systems, including network configurations and access credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
- • Deploy East-West Traffic Security controls to monitor and control internal network communications.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities promptly.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Ensure Encrypted Traffic (HPE) is utilized to protect data in transit and prevent interception.
