Transnational security agencies warn of Volt Typhoon cyber threat, emphasize cyber risk as core business risk

Transnational security agencies collaborated once more to issue a fact sheet alerting critical infrastructure leaders to the imminent threat posed by the Volt Typhoon, a state-sponsored cyber hacker from the People’s Republic of China (PRC), and the malicious activities associated with this individual. They also guide to help prioritize the protection of critical infrastructure and functions. The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) along with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and other U.S. government and international partners delivers detailed information related to the groups’ activity. It describes how the group has compromised U.S. organizations, especially in the communications, energy, transportation, and water and wastewater systems sectors. Titled, ‘PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders,’ the fact sheet empowers cybersecurity teams to make informed resourcing decisions to better detect and defend against Volt Typhoon and other malicious cyber activity. 

As a first step, organizations should use intelligence-informed prioritization tools, such as the Cybersecurity Performance Goals (CPGs) or derived guidance from an SRMA. The CPGs help leaders make strategic investments in a limited number of essential actions with high-impact security outcomes. 

Secondly, organizations must focus on empowering and appropriately resourcing cybersecurity teams so they can effectively apply detection and hardening best practices contained in previous guidances. They must also receive continuous cybersecurity training and skill development relevant to the threat environment. Continuous training ensures that staff have the capabilities needed to defend their unique environments and maintain good cyber hygiene. 

Furthermore, they must develop comprehensive information security plans and conduct regular tabletop exercises. Leaders should ensure personnel from all business sections, including executive leadership, are involved in the development of the plan, sign off on it, and are aware of their roles and responsibilities. Additionally, they must ensure comprehensive and tested plans are in place and approved enabling cybersecurity teams to make appropriate risk-informed decisions. 

Organizations must also refresh and test plans on an appropriate basis, and test OT (operational technology) systems and manual mode. For smaller organizations without their in-house cybersecurity teams, leaders should obtain managed security services that can carry out this guidance to maintain sufficient cybersecurity posture.

The transnational fact sheet also called upon critical infrastructure organizations to ensure effective risk management policies are in place to minimize the likelihood of damage resulting from a compromise. They must also establish vendor risk management processes to evaluate and monitor third-party risks, ensuring that suppliers and partners adhere to strict security standards and any foreign ownership, control, or influence (FOCI) are identified and managed, including consideration of, for example, the U.S. Department of Commerce Entities List and Unverified List. 

It added that organizations must ensure those responsible for procurement must exercise due diligence when selecting software, devices, cloud service providers (CSPs), and managed service providers (MSPs). They must use guidance including the secure by design principles to help inform vendor selection to reduce the availability of attack pathways threat actors can leverage. They must also ensure that the vendor has a patching plan in place that supports the organization and that can be supported.

Another critical element of the fact sheet was the need to ensure performance management outcomes are aligned with the cyber goals of the organization by encouraging collaboration between IT, OT, cloud, cybersecurity, supply chain, and business units to align security measures with business objectives and risk management strategies. They also call for championing organizational cybersecurity risk assessments and audits to identify vulnerabilities and gaps in the security posture.

Additionally, organizations must engage with external cybersecurity experts and advisors for independent assessments and guidance tailored to the organization and performing GAP analysis on findings. They must also increase awareness of social engineering tactics and facilitate a culture that encourages incident reporting.

Roger Grimes, data-driven defense evangelist at KnowBe4, highlighted in response to the CISA fact sheet that the success of these threats hinges on vulnerabilities in technical defenses such as firewalls, VPNs, and antivirus software. 

“Because bad things still get through our defenses all the time, training is needed,” he added in an emailed statement. “Everyone needs intense, continuous training in how to prevent and detect threats. Users need to understand how to spot social engineering attempts, how to mitigate them (i.e., delete, ignore, etc.), and how to appropriately report.” 

Highlighting that social engineering is involved in 70% – 90% of successful data breaches, and that’s only the stuff that made it past every other defense, Grimes said that all employees need more training, yet most companies only do cybersecurity training once a year. “It is this fundamental gap between how we are so often successfully attacked and the resources (i.e., training) used to prevent the attack that allows hackers and their malware programs to be so successful for so long.”

Last month, the agencies published an advisory that focuses on the malicious activities carried out by Volt Typhoon, emphasizing the need for urgent actions to protect critical infrastructure from hacking compromises and the maintenance of persistent access. The advisory highlighted that the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.