December 14, 2023

The U.S. cybersecurity landscape faces a critical challenge with the emergence of a highly resilient botnet operated by the China state-sponsored threat actor labeled Volt Typhoon. This botnet has ingeniously repurposed end of life Small Office/Home Office (SOHO) routers from Cisco, Netgear, and Fortinet, and set up a Tor-like covert data transfer network to perform malicious operations.

Notably, these routers, lacking security updates, now serve as a central element in Volt Typhoon’s penetration strategy across multiple critical sectors. Researchers at Black Lotus Labs, uncovered this complex botnet, identified as the KV-botnet. Their analysis unearthed a sophisticated infection process and a well disguised command-and-control infrastructure. Recent alterations to the botnet’s architecture, incorporating Axis IP cameras, suggest an imminent surge in malicious activities, potentially timed for the holiday season. Given the absence of ongoing security support for these outdated routers, replacing them stands as the most viable countermeasure. The compromised devices include Cisco RV320S, DrayTek Vigor routers, Netgear ProSAFEs, and now Axis IP cameras. Given the extensive deployment of these outdated routers, cybersecurity analyst are urged to monitor data transfers. This caution extends to local destination IP addresses, ensuring a proactive stance in neutralizing the threat posed by this covert network. Read more at Security Week.

October 26, 2023

In a keynote fireside chat at SecurityWeek's 2023 ICS Cybersecurity Conference in Atlanta, John Hultquist, Chief Analyst at Mandiant Intelligence, underscored the urgent need for defenders within critical infrastructure to identify and eliminate traces of Volt Typhoon. This Chinese government-backed hacking team has conducted alarming attacks on targets in Guam and the U.S., notably focusing on critical infrastructure. Hultquist highlighted the unprecedented nature of this campaign, as it marks a significant departure from China's typical focus on economic espionage and IP theft. Volt Typhoon's deliberate targeting of critical infrastructure installations has raised concerns, and the group's extensive infiltration efforts have been detected in various sectors, including telecommunications and logistics.  

As part of our commitment to safeguarding critical infrastructure and protecting members, we have previously alerted to similar threat activity in the past (see previous postings below). We understand the importance of sharing insights into the tactics, techniques, and procedures (TTPs) employed by such groups, helping organizations prepare for potential threats. Volt Typhoon's use of botnets and zero-day vulnerabilities to maintain operational security adds to the complexity of addressing this threat.  

Hultquist emphasized the importance of monitoring this situation closely, as Volt Typhoon's presence is widespread throughout the U.S. He also noted the need to consider potential responses in the context of the current situation in the Middle East. SecurityWeek's ICS Cybersecurity Conference sessions are available for viewing in both live and on-demand formats.  Read more at SecurityWeek.

August 18, 2023

EPA has released a water and wastewater sector-focused advisory (attached below) that supplements previous government alerts regarding the China state-sponsored threat actor labeled Volt Typhoon (or BRONZESILHOETTE or VANGUARD PANDA), which is suspected of conducting network scanning and other reconnaissance activities targeting U.S. critical infrastructure. In addition to EPA’s sector-specific concerns, prior reporting has shown the federal government is concerned the threat actor may target water and wastewater utilities, particularly if they provide services to military bases. The advisory includes new indicators of compromise (IOCs) that can be used by network defenders to detect if their systems have been breached.

Members should review the advisory’s IOCs and update their network defenses accordingly. The advisory specifically recommends network administrators:

• Scan networks for the known IOCs included in the advisory, and other unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
• Block all listed IP addresses and user-agents listed in the advisory.
• Establish baselines of normal activity, particularly for remote access and administrative actions, and look for outliers from those baselines.

Volt Typhoon is known to prefer living off the land tactics, which enables it to avoid detection by using legitimate network administration tools, so members are encouraged to conduct scanning to uncover suspicious network behavior.

Additional relevant information and resources shared by WaterISAC include:

• (U//FOUO) Network Defender Bulletin (DHS I&A)
• June 28, 2023 WaterISAC Cyber Threat Briefing

If you find any evidence of Volt Typhoon activity, contact the FBI via your local Field Office, Cyber Watch (CyWatch) at (855) 292-3937 or [email protected], or the Internet Crime Complaint Center (IC3). You can also contact CISA at [email protected] or (888) 282-0870. Additionally, WaterISAC encourages members to share information by emailing [email protected], calling 866-H2O-ISAC, or using the online incident reporting form.

May 25, 2023

Yesterday, CISA, the FBI, the National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) published a joint Cybersecurity Advisory (CSA) to highlight a People’s Republic of China (PRC) state-sponsored actor, also known as Volt Typhoon, that is actively working to compromise critical infrastructure networks and conduct malicious activity.

This advisory provides critical infrastructure organizations and network defenders with new insights into the specific tactics, techniques, and procedures (TTPs) used by PRC threat actors to gain and maintain persistent access into critical infrastructure networks. It demonstrates how PRC cyber actors use a technique called living off the land, which enables these actors to avoid detection by using legitimate network administration tools such as PowerShell, Windows Management Instrumentation (WMI), and Mimikatz.    

The CSA also includes indicators of compromise to help network defenders detect related malicious activity. The authoring agencies encourage network defenders to review the advisory and apply the included mitigations. Recommended mitigations which can help organizations prioritize their investments to most effectively mitigate this activity, include:  

• Baseline protections include harden domain controllers, monitor event logs, limit port proxy usage within environments, and investigate unusual internet protocol (IP) addresses and ports.  
• Logging recommendations include setting audit policy, hunt for windows management instrumentation (WMI) and PowerShell activity and enable logging on their edge devices.   
• Prioritize mitigation of known exploited vulnerabilities (KEV), including those listed in the joint advisory and also in CISA's KEV catalog. 

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at [email protected]. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. Access the full advisory at CISA.