A major Chinese state-sponsored threat actor was lurking on the networks of critical US infrastructure firms for years, a newly released advisory has claimed.
The advisory, published by the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, the FBI, and Five Eyes agencies, claims the group, known as Volt Typhoon, compromised, and then dwelled on networks of multiple critical infrastructure organizations in the country for at least five years.
They were able to do that by living off the land (LOTL) and using stolen accounts, the organizations said.
Positioning for action
"In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years," the statement said.
Another hallmark of Volt Typhoon’s approach to cyber-espionage is “extensive pre-exploitation reconnaissance”, which helps the threat actor learn much about the target organizations and their environment. With this knowledge, the group tweaks their tactics, techniques and procedures (TTP) and allocates proper resources to the campaign.
Of all the compromised organizations, most are in communications, energy, transportation, and water/wastewater industries.
The goal of this campaign wasn’t just to monitor the activities and steal sensitive information - the group was also positioning for disruptive action, if need be. According to the advisory, should the conflict between the US and China escalate, the group would be properly positioned to disrupt their adversary’s critical infrastructure.
"This is something we have been addressing for a long time," Rob Joyce, NSA's Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS) told BleepingComputer.
"We have gotten better at all aspects of this, from understanding Volt Typhoon's scope, to identifying the compromises likely to impact critical infrastructure systems, to hardening targets against these intrusions, to working together with partner agencies to combat PRC cyber actors."
More from TechRadar Pro
- Stealthy new botnet targets VPN devices and routers while staying disguised
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now