Cyber Attack Prevention: Defending Against Volt Typhoon

Cybersecurity remains at the forefront of national security concerns, especially with state-sponsored cyber activities targeting critical infrastructure. Recent advisories from the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA) and the FBI have brought to light the activities of People’s Republic of China state-sponsored actors, notably referred to as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). These cyber criminals, whose latest attack was identified in May 2023, are strategically positioning themselves within IT networks of U.S. critical infrastructure sectors, including—Communications, Energy, Transportation Systems, Water and Wastewater Systems—to potentially launch a disruptive or destructive cyber attack.

The Dangers Presented by Volt Typhoon’s Cyber Attack

Volt Typhoon’s most recent strategy highlights the sophisticated use of “living off the land” (LOTL) techniques. This method involves leveraging legitimate features of a system to remain undetected while conducting malicious activities. Specifically, the actors engage in detailed reconnaissance, exploiting vulnerabilities in public-facing network appliances for initial access, and then they leverage administrator credentials for lateral movement and domain control. The result is a combined strategic and stealth approach. These tactics signify a departure from traditional cyber-based espionage, hinting at a more ominous intent of pre-positioning for future activities.

Tactics and Techniques Utilized by Volt Typhoon:

  • Establish initial access through vulnerabilities in network appliances, followed by VPN use.
  • Obtain administrator credentials, often via privilege escalation or insecure storage.
  • Use lateral movement to domain controllers using valid credentials and Remote Desktop Protocol.
  • Discover and utilize PowerShell for targeted queries on Windows event logs via stealth networks.
  • Use the Volume Shadow Copy Service to achieve full domain compromise by accessing the Active Directory database (NTDS.dit).
  • Employ offline password-cracking techniques to gain elevated network access.
  • Strategic infiltration focuses on OT assets and tests access with default vendor or compromised OT system credentials.
  • Creates the potential for significant disruption, including manipulating HVAC systems or critical energy and water controls.

For a more detailed overview, visit the CISA Cybersecurity Advisory website.

Strategic Implications and Recommendations

The revelation of Volt Typhoon’s activities should serve as a wake-up call for bolstering security measures across critical infrastructure sectors. Additionally, these attacks underscore the importance of adopting a proactive and strategic approach to security, emphasizing resilience and the capacity to deter sophisticated threats.

Key recommendations for mitigating the risk posed by Volt Typhoon include:

  • Patching of Internet-facing Systems: Regularly update and patch Internet-facing systems, prioritizing critical vulnerabilities known to be exploited by Volt Typhoon. This patch management reduces the attack surface and protects against known exploits.
  • Phishing-resistant Multifactor Authentication (MFA): Deploy phishing-resistant MFA to safeguard access to networks and sensitive information. This process adds a crucial layer of security that attackers using stolen credentials cannot easily bypass.
  • Conditional Access Policies: Implement conditional access policies that evaluate the context of access requests (user identity, location, device security status, etc.) and apply appropriate security controls. This access restriction helps minimize risks by ensuring only legitimate, authenticated, and authorized access to critical resources.
  • Comprehensive Logging and Monitoring: Implement an extensive logging and monitoring regime. Ensure all application, access, and security logs are collected and analyzed in detail, focusing on detecting subtle, sophisticated tactics like those employed by Volt Typhoon, including LOTL techniques.
  • Technology Lifecycle Management: Develop a strategy for managing the end-of-life of technology the manufacturer no longer supports. Update or replace outdated systems to close vulnerabilities that attackers could exploit.

Weathering the Typhoon of a Cyber Attack with a Trusted Partner

The activities of Volt Typhoon highlight the evolving threat landscape and the need for constant vigilance and adaptation in cybersecurity practices. By understanding and monitoring the tactics and strategies employed by these bad actors, cybersecurity professionals can better protect both their organization’s valuable data and critical infrastructure from potential threats. This requires technological solutions and a strategic mindset that anticipates and mitigates against the sophisticated methods utilized.

However, the complexity, sophistication, and sheer volume of these threats often surpass the capabilities of in-house IT staff. This gap is where teaming with a reliable security partner becomes paramount. A seasoned security partner brings expertise, advanced technology solutions, and a proactive approach to identifying and mitigating threats, offering a comprehensive strategy that extends beyond traditional measures. This expertise ensures organizations can defend against complex attacks and stay ahead of potential vulnerabilities.

OneNeck IT Solutions offers a strategic advantage in response to such threats. Our experienced team provides a broad range of security services designed to protect against sophisticated cyber threats. Our security solutions, including cloud, managed, and professional services, help ensure a robust defense against a cyber attack from actors like Volt Typhoon.

Partnering with OneNeck is the perfect next step for organizations looking to enhance their security posture. Contact us today to learn more about how our services can protect your organization from sophisticated cyber threats.

grey line for Volt Typhoon cyber attack blog.

Additional Resources:

Get In Touch

Call Us

For general inquiries, call: 855.ONENECK

Immediate Assistance

Managed services support: 800.272.3077
Non-managed service support: 515.334.5755
Or visit our service desk:
Service Desk Portal

Chat With Us

Hours available: 24/7
Start a Chat

OneNeck Headquarters

525 Junction Road
Madison, WI 53717
View All Locations

Talk to Our Team