CISA urges defensive actions against Volt Typhoon threats

CISA warned of the "urgent risk" posed by Chinese state-sponsored threat actors against critical infrastructure organizations and urged their leaders to take defensive actions.

In a fact sheet Tuesday, published jointly with the National Security Agency, the FBI, and other domestic and international government partners, CISA provided an overview of how critical infrastructure leaders can defend against risks posed by the Chinese nation-state threat actor tracked as Volt Typhoon.

The fact sheet followed a previous security advisory published on Feb. 7 in which CISA said Volt Typhoon had access to certain U.S. critical infrastructure organizations for five years. This advisory was a follow-up to the late January announcement that the U.S. government disrupted a botnet of small office/home office routers used by the threat actor. Although the government managed to wipe out this botnet of primarily end-of-life Cisco and Netgear routers, Volt Typhoon remains a threat.

In the fact sheet, CISA emphasized Volt Typhoon's penchant for living-off-the-land techniques -- using legitimate tools and built-in functions of a system to conduct attacks without using malware. As a result, the cyberagency advised organizations to apply effective detection and hardening best practices such as implementing detailed logging.

"Volt Typhoon does not rely on malware to maintain access to networks and conduct their activity," CISA said. "Rather, they use built-in functions of a system. This technique, known as 'living off the land,' enables them to easily evade detection. To protect against living off the land, organizations need a comprehensive and multifaceted approach."

In addition, CISA said critical infrastructure leaders should conduct tabletop exercises and develop information security plans.

"Leaders should ensure personnel from all business sections, including executive leadership, are involved in development of the plan, sign off on it, and are aware of their roles and responsibilities," the advisory read. "Ensuring comprehensive and tested plans are in place and approved enables cybersecurity teams to make appropriate risk-informed decisions."

In a section dedicated to securing an organization's supply chain, the fact sheet advised establishing strong vendor risk management processes "to evaluate and monitor third-party risks." For those involved in procurement, CISA said these leaders should use secure-by-design principles to inform decision-making related to which hardware and software vendors to work with.

CISA also said critical infrastructure leaders should foster a strong cybersecurity culture by championing risk assessments and audits, engaging with external security experts, and increasing awareness of social engineering tactics. The agency encouraged "collaboration between IT, OT, cloud, cybersecurity, supply chain, and business units to align security measures with business objectives and risk management strategies."

TechTarget Editorial contacted CISA for additional comment, but the agency had not responded at press time.

This fact sheet is the latest in a series of alarms sounded by the U.S. government regarding nation-state threats to critical infrastructure. On March 18, Environmental Protection Agency Administrator Michael Regan and Jake Sullivan, White House national security adviser, published an open letter to state governors about cyberattacks striking water and wastewater plants.

"Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices," the letter read. "As the Sector Risk Management Agency identified in Presidential Policy Directive 21 for water and wastewater systems, the U.S. Environmental Protection Agency (EPA) is the lead Federal agency for ensuring the nation's water sector is resilient to all threats and hazards."

In addition to Volt Typhoon, Regan and Sullivan noted that the Iranian government's Islamic Revolutionary Guard Corps has also carried out cyberattacks against U.S. critical infrastructure. They emphasized the need for support from state governors to help identify weaknesses and improve cybersecurity practices at critical infrastructure organizations to better defend against such threats.

"Partnerships with State, local, tribal, and territorial governments are critical for EPA to fulfill this mission," they wrote. "In that spirit of partnership, we ask for your assistance in addressing the pervasive and challenging risk of cyberattacks on drinking water systems."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.