Skip links

Five Eyes tell critical infra orgs: take these actions now to protect against China’s Volt Typhoon

The Feds and friends yesterday issued yet another warning about China’s Volt Typhoon gang, this time urging critical infrastructure owners and operators to protect their facilities against destructive cyber attacks that may be brewing.

The Tuesday alert – issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), FBI and eight other US and international partners – comes a little more than a month after the same groups from the same Five Eyes nations sounded the alarm on Volt Typhoon compromising “multiple” critical infrastructure orgs’ IT networks in America.

The previous advisory, published on February 7, also warned that the Beijing-backed crew was readying “disruptive or destructive cyber attacks” against these same targets.

Today’s advisory is more of a condensed version of the February one. While it doesn’t include any new details about specific Chinese threats or compromised networks, it’s more “focused on providing guidance to non-technical senior business leaders,” a CISA spokesperson told The Register.

“As a first step, organizations should use intelligence-informed prioritization tools, such as the Cybersecurity Performance Goals (CPGs) or derived guidance from an SRMA,” the alert [PDF] advises.

For those not fluent in CISA acronyms, an SRMA is a Sector Risk Management Agency and each of the 16 US critical infrastructure sectors has its own.

The alert also encourages cyber security best practices – such as turning on logging for all applications and systems, and storing these logs in a central system. This can help security teams detect “living off the land” techniques, which involve using legitimate admin tools and software, rather than installing custom malware, to blend in and avoid being detected by security tools.

Pretty much every Volt Typhoon warning we’ve seen, from both government agencies and private-sector threat hunters, has observed that this China state-backed cybercrime gang is especially adept at living off the land.

Organizations should also develop an incident response plan and conduct regular tabletop exercises so that everyone knows their role and what to do in case of an attack.

Today’s alert also recommends securing the supply chain and ensuring vendor risk management processes are in place.

This includes “ensuring that suppliers and partners adhere to strict security standards and any foreign ownership, control, or influence (FOCI) are clearly identified and managed, including consideration of, for example, the US Department of Commerce Entities List and Unverified List.” ®