Chinas Cyberattackers Maneuver to Disrupt US Critical Infrastructure

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas Cyberattackers Maneuver to Disrupt US Critical Infrastructure


Lurking for 5 years, Volt Typhoon is positioning itself to physically disrupt and cripple US critical infrastructure by gaining access to operational technology networks in the energy, water, communications, and transportation sectors, according to CISA.



The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a report detailing how the China-backed Volt Typhoon advanced persistent threat (APT) is
consistently targeting highly sensitive critical infrastructure
, with new information on the cyberattackers pivot to operational technology (OT) networks once theyve burrowed inside.
Given that the OT network is responsible for the physical functions of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) equipment, the findings clearly corroborate the
ongoing suspicion
that Chinese hackers are looking to be able to disrupt critical physical operations in energy,
water utilities
, communications, and transportation, presumably to cause panic and discord in the event of a
kinetic conflagration between the US and China
.
Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions, according to
CISAs Volt Typhoon advisory
. [We] are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
Its an important set of revelations, according to John Hultquist, chief analyst at Mandiant Intelligence/Google Cloud.
Previously, we could deduce from targeting that the actor had a
strong interest in critical infrastructure
that had little intelligence value, he said in an emailed analysis. But the CISA report shows that Volt Typhoon is gathering information on, and even penetrating, OT systems — the highly sensitive systems that run the physical processes at the heart of critical infrastructure, he added. Under the right conditions,
OT systems could be manipulated
to cause major shutdowns of essential services, or even to create dangerous conditions.
Hultquist added, If there was any skepticism as to why this actor is carrying out these intrusions, this revelation should put it to rest.
CISA also revealed today that Volt Typhoon (aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus) has secretly hidden in US infrastructure for half a decade — even though they were first
publicly outed by Microsoft
only last year.
Unlike ransomware operators whose goal is to get in and cause damage quickly, this nation-state operator is leveraging valid accounts and
living off the land [LOTL]
techniques to evade detection for long periods of time, Ken Westin, field CISO at Panther Lab, said in an emailed comment. These methods allow the group to monitor their targets and provide a foothold to cause kinetic damage.
To boot, the APT also relies on valid accounts and leverage[s] strong operational security, which ... allows for long-term undiscovered persistence, CISA explained. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victims environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.
While Volt Typhoons strategy of staying hidden by using legitimate utilities and blending in with normal traffic
isnt a new phenomenon in cybercrime
, it does make it difficult for potential targets to actively scan for malicious activity, according to
CISA, which issued extensive LOTL guidance
today for doing just that.
Meanwhile, an infrastructure update, while it could in some cases require a costly and labor-intensive forklift replacement, might not go awry either.
Many of the OT environments being targeted are notorious for running outdated software, either out of negligence or necessity, if the systems cannot be updated, which increases the risk posed by this threat, Westin said.
Worryingly, CISA also noted that the danger extends beyond the US. Last month, SecurityScorecards STRIKE team identified new infrastructure linked to Volt Typhoon that indicated the APT was also targeting Australian and UK government assets. The CISA report broadens that risk to also include Canada and New Zealand — all of these US partners infrastructure is also susceptible to nation-state actors, it warned.
CISAs advisory comes on the heels of a
government action to disrupt
the groups small office/home office (SOHO) router botnet, which it used to
throw off those tracking its activity
. In a bit of good news, according to researchers at Lumens Black Lotus Labs this week, the group has so far
failed to revive the botnet
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas Cyberattackers Maneuver to Disrupt US Critical Infrastructure