In a joint effort, U.S. agencies including CISA, the NSA, and the FBI have issued a warning to critical infrastructure leaders about the Chinese hacking group known as Volt Typhoon. Other partner cybersecurity agencies from Australia, Canada, the UK, and New Zealand have also joined these efforts to combat the threat.

The authorities have urged critical infrastructure organizations to take immediate action to protect their systems against potential attacks by Volt Typhoon. Last month, it was revealed that Chinese hackers had breached multiple U.S. critical infrastructure organizations, maintaining access for an astonishing five years before being detected.

What sets Volt Typhoon apart from typical cyber espionage activities is their focused objective to gain access to Operational Technology (OT) assets within networks. This raises concerns that the group aims to exploit such access to disrupt critical infrastructure systems. U.S. authorities fear that this could lead to severe disruptions not only during military conflicts but also in times of geopolitical tensions.

To counter these threats, CISA, along with other U.S. government agencies such as the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, and the Department of Treasury, advises critical infrastructure leaders to empower their cybersecurity teams. They encourage these teams to make informed resourcing decisions, secure their supply chains, and ensure that performance management aligns with their organization's cyber goals.

In a joint guidance document, key best practices for cybersecurity teams include turning on logging for applications and systems, storing logs in a central system, and robust logging for detecting and mitigating potential compromises. Crucially, organizations are urged to inquire with their IT teams about relevant logs that may reveal commands used by Volt Typhoon actors. Furthermore, if necessary, resources should be allocated to effectively detect compromises.

Volt Typhoon, also known as Bronze Silhouette, has been actively targeting and breaching U.S. critical infrastructure organizations since mid-2021. Notably, the hackers employed a botnet called KV-botnet, consisting of hundreds of small office/home offices (SOHO) across the U.S., to hide their malicious activities and evade detection. However, the FBI disrupted the KV-botnet in December, rendering it ineffective. The remaining command-and-control servers were sinkholed by Lumen's Black Lotus Labs, preventing the group from rebuilding the botnet.

In response to this development, CISA and the FBI have reached out to SOHO router manufacturers, urging them to enhance the security of their devices against Volt Typhoon attacks. They recommend implementing secure configuration defaults and eliminating web management interface flaws during the development process.

As the cybersecurity landscape continues to evolve, collaboration between agencies and organizations becomes crucial. The joint efforts by U.S. authorities and their international partners aim to protect critical infrastructure from the persistent threat of hacking groups like Volt Typhoon. By implementing the recommended defense measures, organizations can enhance their resilience against potential cyber-attacks.