China’s Volt Typhoon APT: Unearthing Deeper Threats to US Critical Infrastructure

The Growing Concerns of Cybersecurity Threats to the US Military

Chinese Malware Infests Critical US Networks

The US military is currently facing two significant cybersecurity concerns. The first is a widespread and unresolved Chinese cyber campaign known as Volt Typhoon, which specifically targets military bases. The second issue involves an insider breach that has affected the communications of the Air Force and the FBI.

Recent reports confirm that the malware associated with Volt Typhoon is far more extensive than previously thought. In their investigation, responders have discovered the malware planted within multiple networks controlling the communications, power, and water supply to US military bases worldwide. These networks, however, also touch run-of-the-mill businesses and individuals, making it difficult to assess the full extent of the infestation.

The Chinese state-aligned advanced persistent threat (APT) behind Volt Typhoon, also known as “Vanguard Panda,” gained attention when Microsoft observed Chinese cyber activity in Guam, a strategically significant site for the defense of Taiwan against Chinese aggression. Microsoft suggested that this campaign aimed to disrupt critical communications infrastructure between the United States and the Asia region during potential future crises.

Further investigations have revealed that Volt Typhoon’s objective may extend beyond disrupting military operations and instead target civilian life more broadly in the event of a conflict. The possibility of this malware being used to handicap military response and supply chains is a cause for alarm. Experts and officials interviewed in the New York Times article describe the campaign as a “ticking time bomb.”

Former FBI Cyber Division special agent and current global head of professional services at BlueVoyant, Austin Berglas, highlights that China‘s infiltration of critical US networks does not come as a surprise, considering their continuous efforts to exploit various sectors for political, social, and economic advantage. However, the introduction of destructive malware within their toolkit raises concerns about potential retaliatory strikes or future attacks with similar capabilities.

Insider Attack Compromises Air Force and FBI Communications

A separate cybersecurity incident involved an insider breach within the US Air Force. According to Forbes, a 48-year-old engineer from the Arnold Air Force base in Tullahoma, Tennessee, allegedly gained unauthorized access to radio communications technologies used by the Air Education and Training Command (AETC), responsible for recruitment and training. The engineer took $90,000 worth of radio equipment home.

During a subsequent raid, investigators found an open computer running a Motorola radio programming software that contained the entire communications system of the Arnold Air Force Base (AAFB). Additionally, evidence of access to privileged communications from the FBI and other Tennessee state agencies was discovered.

Austin Berglas points out that the impact on other agencies, such as the FBI, is not surprising. He explains that while organizations like the FBI and Air Force may practice stringent zero-trust policies, they still face insider threats and supply chain risks similar to any other organization. In this case, the need to provide classified access to state and local partners increases the potential for vulnerabilities in their systems.

Securing classified information requires enabling individual and agency partners to comply with necessary security measures. Berglas emphasizes the importance of supporting the weakest link in the chain by providing resources to enhance their cybersecurity practices.

Editorial: Addressing the Urgent Need for Enhanced Cybersecurity Measures

The recent revelations regarding the Chinese cyber campaign and the insider breach highlight the growing urgency for improved cybersecurity measures within the US military and other critical infrastructure sectors. These incidents demonstrate the vulnerability and potential consequences of cyberattacks, underscoring the need for comprehensive action.

The Chinese intrusion into critical US networks should serve as a wake-up call for the government and private sector stakeholders. There is a pressing need to invest in robust cybersecurity frameworks, threat intelligence capabilities, and collaboration across sectors to prevent further infiltrations and mitigate the damage caused by attacks.

Enhancing cybersecurity measures requires a comprehensive approach that addresses both technical and human vulnerabilities. Prioritizing investments in advanced threat detection systems, secure network infrastructure, and encryption technologies is crucial. Additionally, bolstering cybersecurity training and awareness programs for personnel at all levels is essential to prevent insider breaches and minimize risks associated with human error.

Furthermore, the US government must strengthen international cooperation to discourage state-sponsored cyber campaigns and hold accountable those responsible for such attacks. Diplomatic efforts and coordinated actions, including sanctions and indictments, are necessary to deter future cyber threats.

Ultimately, ensuring cybersecurity resilience demands ongoing vigilance and adaptation to evolving threats. Implementing a proactive approach, continuous monitoring, and swift response mechanisms will be key to mitigating risks and protecting critical infrastructure from cyber threats.

Advice: Safeguarding Critical Networks through Cybersecurity Best Practices

Given the increasing sophistication of cyber threats targeting critical infrastructure and military installations, organizations must prioritize cybersecurity best practices to protect their networks. The following recommendations can help mitigate risks and enhance the resilience of critical systems:

1. Implement a Multi-layered Defense Strategy:

Deploy a combination of network segmentation, firewalls, intrusion detection systems, and advanced endpoint security solutions to establish multiple defense layers against cyber threats.

2. Adopt Zero Trust Architecture:

Implement zero trust principles that require verification and authentication for all access attempts, even from trusted sources. This approach minimizes the risk of insider breaches and unauthorized access.

3. Conduct Regular Security Assessments and Audits:

Regularly evaluate the security posture of critical networks through comprehensive assessments and audits. Identify vulnerabilities and address them promptly to maintain a robust defense against cyber threats.

4. Enhance Employee Cybersecurity Training:

Invest in comprehensive cybersecurity training programs for employees at all levels. Educate personnel on identifying phishing attempts, safe browsing practices, and the importance of strong passwords to minimize the risk of human error-based vulnerabilities.

5. Establish Strong Incident Response Plans:

Develop and test incident response plans to ensure a swift and coordinated response to potential cyber incidents. Regularly update these plans based on emerging threats and evolving best practices.

6. Foster Collaboration and Information Sharing:

Promote information sharing and collaboration among government agencies, private sector organizations, and international partners. This collaboration will enable timely threat intelligence sharing and coordinated responses to cyber threats.

7. Continuously Monitor and Patch Systems:

Regularly update and patch software and systems to address known vulnerabilities promptly. Implement continuous monitoring tools and techniques to detect and respond to potential cyber threats in real-time.

By adopting these cybersecurity best practices, organizations can significantly enhance their ability to protect critical networks and infrastructure from the growing cyber threats they face.