Chinese Hackers Target US Critical Infrastructure: Mandiant Intelligence Chief Raises Alarm over “Volt Typhoon”

Mandiant Intelligence Chief Raises Alarm Over China’s ‘Volt Typhoon’ Hackers in US Critical Infrastructure

In a keynote speech at the 2023 ICS Cybersecurity Conference in Atlanta, John Hultquist, the chief analyst at Mandiant Intelligence, discussed the growing threat posed by the Chinese hacking group known as Volt Typhoon. Hultquist urged defenders of critical infrastructure to prioritize the detection and removal of traces of this group, which has been targeting installations and sectors related to critical infrastructure in Guam and the United States.

A Shift in Chinese Hacking Strategy

Hultquist noted that the Volt Typhoon campaign represents a significant shift in tactics for Chinese hacking groups. Instead of focusing primarily on economic espionage and intellectual property theft, this group is intentionally targeting critical infrastructure installations. This deliberate and long-term attempt to infiltrate critical infrastructure, while staying below the radar, is a cause for concern.

Deliberate Targeting of Critical Infrastructure

Mandiant and Microsoft, who first flagged the Volt Typhoon campaign, have confirmed that the group has been found in critical infrastructure sectors such as telecommunications, logistics, power, and water. The National Security Agency (NSA) has theorized that the group may be preparing for a disruptive event in the event of a wartime scenario. While this theory is not confirmed, the deliberate targeting of critical infrastructure makes it a priority for defenders to address.

Tactics and Challenges

Volt Typhoon has been described as a stealthy and targeted group focusing on credential access and network system discovery. They leverage botnets for command and control and minimize the use of malware, making them difficult to detect and track. Hultquist recommended that defenders prioritize patching and mitigations for internet-facing edge devices and network routers, as they serve as crucial entry points for high-end attackers.

Editorial: The Importance of Cybersecurity in Critical Infrastructure

The recent activities of Volt Typhoon, a Chinese hacking group targeting critical infrastructure installations in the United States, highlight the pressing need for robust cybersecurity measures. These attacks serve as a wake-up call for both government and private sector organizations to prioritize investment in protecting critical infrastructure from cyber threats.

Critical infrastructure, such as power grids, transportation systems, and water treatment facilities, plays a crucial role in the functioning of modern society. A successful cyber attack on these systems can have far-reaching consequences, including disruption of essential services, economic damage, and potential loss of life. The increasing sophistication and motivation of malicious actors, such as the Volt Typhoon group, necessitate a proactive and comprehensive approach to cybersecurity.

Defenders of critical infrastructure must invest in advanced threat detection and mitigation technologies, prioritize patching and security updates, and ensure proper training and awareness among employees. Collaboration between government agencies, private sector partners, and cybersecurity professionals is essential to stay ahead of evolving threats and effectively respond to cyber incidents.

Advice: Protecting Critical Infrastructure from Cyber Threats

Protecting critical infrastructure from cyber threats requires a multi-faceted approach that addresses both technical and human factors. Here are some key measures that organizations should consider:

1. Regular Risk Assessments

Organizations should conduct regular risk assessments to identify vulnerabilities and prioritize mitigation efforts. This includes identifying potential entry points for cyber attacks, evaluating the resilience of systems and networks, and assessing the effectiveness of existing security measures.

2. Robust Network Security

Implementing strong network security measures, such as firewalls, intrusion detection systems, and network segmentation, can help prevent unauthorized access and limit the impact of potential breaches. Continuous monitoring and analysis of network traffic can also help detect and respond to suspicious activities in real-time.

3. Employee Training and Awareness

Employee training and awareness programs are crucial to prevent human error and social engineering attacks. Organizations should provide regular cybersecurity training to employees, emphasizing the importance of strong passwords, safe browsing habits, and the recognition of phishing attempts.

4. Patch Management

Regularly updating and patching software and firmware is critical to mitigate known vulnerabilities that could be exploited by hackers. Organizations should establish a robust patch management process that includes timely installation of security updates and patches across all systems and devices.

5. Incident Response Planning

Having a well-defined incident response plan in place is essential for effectively managing and mitigating the impact of a cyber attack. This includes establishing clear roles and responsibilities, defining escalation procedures, and conducting regular tabletop exercises to test the efficiency and effectiveness of the plan.

Conclusion

The activities of the Volt Typhoon hacking group targeting critical infrastructure installations in the United States serve as a reminder of the ever-present cyber threats facing our society. Defenders of critical infrastructure must remain vigilant, investing in robust cybersecurity measures, and fostering collaboration between government agencies, private sector partners, and cybersecurity professionals. By prioritizing cybersecurity, we can protect our critical infrastructure and ensure the continuity and resilience of essential services that our society relies on.