AdvisoriesCISAAA24-038AFebruary 7, 2024
February 7, 2024
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), along with international partners, warn that the People's Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon is targeting U.S. critical infrastructure across several sectors, including Communications, Energy, Transportation Systems, and Water and Wastewater Systems. These actors are pre-positioning themselves within IT networks, potentially for disruptive or destructive cyberattacks in the event of a crisis or conflict with the United States. Volt Typhoon uses sophisticated techniques, including leveraging valid accounts and living off the land (LOTL) tactics, to maintain long-term, undetected access and are capable of moving laterally to operational technology (OT) assets to disrupt functions. The advisory urges critical infrastructure organizations to apply recommended mitigations to disrupt Volt Typhoon's access and reduce the threat.
Malicious actors have been increasingly "living off the land," utilizing built-in tools and libraries within operating systems to facilitate their attacks. This approach minimizes the need for external malicious software, reducing their digital footprint and evading traditional antivirus detection mechanisms. Using native features for malicious purposes, particularly in ransomware campaigns, presents a unique challenge for cybersecurity defenses. It highlights the need for more advanced, behavior-based detection systems to identify and respond to abnormal activities, even when executed through legitimate system processes.
Be immediately notified of new advisories and associated security tests
