Voltage Veil: Unveiling Cyber Intrusions in Critical Infrastructure

A joint advisory from CISA, the NSA, the FBI, and partner Five Eyes agencies reveals that the Chinese cyber-espionage group known as Volt Typhoon managed to infiltrate a critical infrastructure network in the United States and operated unnoticed for a minimum of five years before being detected.

Volt Typhoon hackers are notorious for their adept utilization of living off the land (LOTL) techniques during their assaults on critical infrastructure entities. Additionally, they employ stolen accounts and maintain robust operational security measures, enabling them to evade detection and sustain prolonged presence within compromised systems.

The agencies stated, “Recent observations by U.S. authoring agencies indicate that Volt Typhoon operatives have maintained access to and footholds within certain victim IT environments for at least five years.”

The Chinese threat group has successfully breached numerous critical infrastructure organizations across the United States, with a particular focus on sectors such as communications, energy, transportation, and water/wastewater.

Their targets and tactics diverge from conventional cyber espionage activities, leading authorities to conclude with high confidence that the group aims to embed itself within networks providing access to Operational Technology (OT) assets, ultimately intending to disrupt critical infrastructure.

U.S. authorities express concerns about Volt Typhoon potentially leveraging this access to critical networks to cause disruptive effects, particularly amid potential military conflicts or geopolitical tensions.

“Volt Typhoon operatives aim to pre-position themselves on IT networks using living off the land (LOTL) techniques, ready for disruptive or destructive cyber activities against U.S. critical infrastructure in the event of a major crisis or conflict with the United States,” warned CISA.

Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS), remarked, “We’ve made strides in understanding Volt Typhoon’s scope, identifying compromises likely to impact critical infrastructure systems, fortifying targets against intrusions, and collaborating with partner agencies to counter PRC cyber actors.”

Accompanying today’s advisory is a technical guide detailing how to detect Volt Typhoon techniques and mitigate their impact on organization networks.

The Chinese threat group, also known as Bronze Silhouette, has been targeting and infiltrating U.S. critical infrastructure since at least mid-2021, as reported by Microsoft in May 2023.

During their attacks, they’ve employed a botnet comprising hundreds of small office/home offices (SOHO) across the United States, dubbed the KV-botnet, to conceal their malicious activities and evade detection.

The FBI disrupted the KV-botnet in December 2023, and subsequent efforts by the hackers to rebuild were thwarted after Lumen’s Black Lotus Labs dismantled all remaining command-and-control (C2) and payload servers.

Upon disclosing the disruption of the KV-botnet, CISA and the FBI urged SOHO router manufacturers to enhance device protection against Volt Typhoon attacks by addressing web management interface vulnerabilities during development and implementing secure configuration defaults.

Happy Hunting!
— j1nx