Yesterday, WaterISAC sent an advisory to members regarding the joint Cybersecurity Advisory (CSA) and guidance related to Volt Typhoon. The CSA confirms that these state-sponsored affiliated actors have an interest in and have compromised water and wastewater systems sector assets. Specifically, the U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam.
The CSA, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure and supplemental Joint Guidance: Identifying and Mitigating Living off the Land Techniques were was released by CISA, NSA, and FBI yesterday.
Current guidance to take today to mitigate Volt Typhoon activity:
- Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
- Implement phishing-resistant MFA.
- Change default passwords and do not share passwords or use the same password across multiple systems/applications.
- Ensure logging is turned on for application, access, and security logs and store logs in a central system.
Members are encouraged to review the following reports for mitigation steps to detect and protect against this activity.
In some cases, utilities may need to forward these reports on to systems integrators or other technology or cybersecurity support for assistance in:
- Recognizing Volt Typhoon techniques,
- Assessing whether Volt Typhoon techniques have compromised your organization,
- Securing your networks from these adversarial techniques by implementing recommended mitigations.
JOINT GUIDANCE: Identifying and Mitigating Living Off the Land Techniques
Notable Volt Typhoon actions against water and wastewater entities.
Volt Typhoon’s behaviors are concerning, notably the capability to lurk in networks for an extended period due to significant use of living off the land techniques (LOTL) where actors leverage existing tools within an environment to remain undetected. Some of the techniques and behaviors have been observed against wws include (but are not limited to):
- The reports specifically state that in one confirmed compromise of a water and wastewater systems sector entity, after obtaining initial access, Volt Typhoon actors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally. Over a nine-month period, they moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain controller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and Exfiltration sections).
- Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, OT systems, and network security devices.
- Their choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the disruption of OT functions across multiple critical infrastructure sectors.
- Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets. Volt Typhoon actors have been observed testing access to domain-joined OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised via NTDS.dit theft. This access enables potential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures.
Tools and resources to help detect and protect gaps that could lead to exploitation
- Water Sector Cybersecurity Toolkit
- Incident Response Guide: Water and Wastewater Sector
- CISA's Free Cyber Vulnerability Scanning for Water Utilities
- Cross-Sector Cybersecurity Performance Goals
Additional resources shared by WaterISAC
- DHS Office of Intelligence and Analysis (I&A) Reports (February 8, 2024)
- Disrupted Volt Typhoon Botnet and Testimony on Preeminent Cyber Threat Posed by the PRC (February 1, 2024)
- Reuters Reports U.S. Disrupts Chinese (Volt Typhoon) Threat to Critical Infrastructure (January 30, 2024)
- People's Republic of China State-Sponsored Cyber Actor Volt Typhoon (Updated December 14, 2023)
- DHS Office of Intelligence and Analysis (I&A) Reports (August 31, 2023)
- ICS/OT Threat Awareness – U.S. Highly Concerned about Chinese Malware Potentially Disrupting American Military Operations (August 1, 2023)
- June 28, 2023 WaterISAC Cyber Threat Briefing (Members Only)
Incident Reporting
- CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
- Water and Wastewater Systems Sector organizations, contact the EPA Water Infrastructure and Cyber Resilience Division at watercyberta@epa.gov to voluntarily provide situational awareness.
- Additionally, WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form.
Other resilience tools and guidance to bolster cybersecurity
