Today, CISA—along with the NSA, FBI, and other U.S. government and international partners—published a joint fact sheet titled “PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders” which warns critical infrastructure leaders of the urgent risk posed by Volt Typhoon, the China state-sponsored threat actor, and provides guidance on specific actions to prioritize the protection of their organization from this threat activity.

WaterISAC has previously reported that Volt Typhoon has been pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the U.S. and its allies. This is a critical business risk for every organization in the U.S. and allied countries.

The fact sheet includes three main Actions for leaders with additional steps and guidance for each:

• Make informed and proactive resourcing decisions
• Secure Your Supply Chain
• Drive a cybersecurity culture

WaterISAC, CISA, and partners strongly urge critical infrastructure organization leaders to read the guidance provided in the joint fact sheet to defend against this threat. Access the full fact sheet here.

Based on past Volt Typhoon activity targeting critical infrastructure organizations, including water and wastewater systems, here are actions to take today to mitigate Volt Typhoon activity:

1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
2. Implement phishing-resistant MFA.
3. Change default passwords and do not share passwords or use the same password across multiple systems/applications.
4. Ensure logging is turned on for application, access, and security logs and store logs in a central system.

Members are encouraged to review the following reports for mitigation steps to detect and protect against this activity. In some cases, utilities may need to forward these reports on to systems integrators or other technology or cybersecurity support for assistance in:

• Recognizing Volt Typhoon techniques,
• Assessing whether Volt Typhoon techniques have compromised your organization,
• Securing your networks from these adversarial techniques by implementing recommended mitigations.

Additional resources on Volt Typhoon related activity and secure by design principles:

• PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA
• Joint Guidance: Identifying and Mitigating Living off the Land Techniques | CISA
• WaterISAC Advisory – PRC-sponsored Volt Typhoon Activity and Supplemental Living Off the Land Guidance | WaterISAC
• Disrupted Volt Typhoon Botnet and Testimony on Preeminent Cyber Threat Posed by the PRC | WaterISAC
• People's Republic of China State-Sponsored Cyber Actor Volt Typhoon | WaterISAC
• Secure by Design | CISA