Volt Typhoon leads Moody’s to mark critical infrastructures as ‘credit negative,’ as risk more acute for OT security
Recently identified stealthy and targeted malicious activity targeted at U.S. critical infrastructure organizations, carried out by a Chinese state-sponsored hacker group called Volt Typhoon, have raised event risks for critical infrastructure assets in the nation, Moody’s Investors Service disclosed. These details led the risk assessment firm to assess that the cyber intrusions increase event risks for U.S. critical infrastructure assets, which they consider to have a higher risk than any other sector and mark as ‘credit negative’ for the affected infrastructure.
According to a joint cybersecurity advisory (CSA) issued by U.S. security agencies and international cybersecurity authorities and details released by Microsoft that uncovered the malicious activity, Volt Typhoon’s recent activities have infiltrated critical U.S. infrastructure networks. The U.S. authorities warn that the Volt Typhoon could apply the same techniques against other sectors worldwide.
In its latest ‘Credit Outlook’ published Monday, Moody’s said that the CSA’s advisory about the risks to critical infrastructure assets, “which we consider have higher risk than any other sector, is credit negative for the affected infrastructure, as well as US communications, energy, utility, and transportation sectors since it exposes their vulnerability to unauthorized system use, which can affect operations.”
The firm added that a cyber disruption could lead to reduced revenue and liquidity during an event, as well as longer-term reputational harm, increased regulatory oversight, and litigation exposure.
The outlook also added that for critical infrastructure, “credit risk is more acute for operating technology (OT) security rather than information technology (IT) security since operational attacks can result in a long-term service outage, the destruction of property, plant and equipment or even impaired safety responses that threaten workforce health. However, we anticipate less differentiation between the two systems going forward since we believe that sophisticated threat actors such as state-sponsored entities can navigate from IT to OT.”
Moody’s also pointed out that in the advisory, the authorities described Volt Typhoon using built-in network administration tools accessed through small office/home office network devices, which helps it evade detection. “Prolonged periods of undetected access could provide the threat actor with valuable information or the ability to disrupt communication or operations at a later date.”
The CSA also provided examples of techniques and tools that Volt Typhoon used to breach and navigate infrastructure systems to improve the transparency of threats and equip operators to identify network artifacts of Volt Typhoon’s activity. The authorities offered various mitigation techniques to improve critical infrastructure entities’ cyber posture and security.
“We view the CSA as providing incremental clarity and information that will help critical infrastructure operators hunt for and identify threat actor activity on their networks,” Moody’s outlined in the document. “This is particularly helpful for small operators that often lack the financial resources or sophistication to have state-of-the-art cyber defenses.”
In its September 2022 cyber heat map, Moody’s identified five sectors as having ‘Very High’ cyber risk, all of which fall under CSA critical infrastructure categories. “The sectors are regulated and self-regulated utilities with generation; electric and gas transmission and distribution utilities; unregulated utilities with power companies; water and wastewater utilities and not-for-profit hospitals.”
Last week, threat intelligence company Mandiant detected novel OT/ICS-oriented malware, tracked as CosmicEnergy, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
Related
