Joint Security Advisory: Addressing Threats to U.S. Critical Infrastructure

On February 7, 2024, Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), raising concerns about ongoing comprises of U.S. Critical infrastructure by PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure from Volt Typhoon*, a Chinese state-sponsored malicious actor.

The Advisory states: “Volt Typhoon actors are seeking to pre-position themselves—using living off the land (LOTL) techniques—on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. The advisory provides actionable information from U.S. incident response activity that can help all organizations:

  1. Recognize Volt Typhoon techniques,
  2. Assess whether Volt Typhoon techniques have compromised your organization,
  3. Secure your networks from these adversarial techniques by implementing recommended mitigations.

The agencies recommend the following mitigation actions:

  1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
  2. Implement phishing-resistant MFA.
  3. Ensure logging is turned on for applications, access, and security logs and store logs in a central system.

The severity of the threat underscores the need for robust and ongoing cybersecurity measures. Further guidance from the agencies about mitigation and uncovering similar malicious activity can be found in this supplement: Joint Guidance: Identifying and Mitigating Living off the Land Techniques. 

The threat from Volt Typhoon’s malicious cyber activity were highlighted in an article titled “China’s Calculated Cyber Offensive: Unmasking the Urgent Threat. 

The severity of the threat was highlighted when joint cybersecurity advisory was issued on May 24, 2023, by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners. Microsoft made a significant announcement that same day saying, “Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.”

These persistent threats serve as a stark reminder to remain vigilant and implement pro-active security measures to safeguard critical infrastructure and data. We discuss ways to spot and mitigate risk in our Cyber Security coursework, found here.