The Volt Typhoon cyberattack about a week or so ago on the militarily strategic U.S. territory of Guam serves as a wake-up call for all cybersecurity leaders managing industrial installations and other critical infrastructure on the U.S. mainland.
The same Chinese state-backed group behind Volt Typhoon has been known to have been silently monitoring U.S. critical infrastructure since at least 2021. Recall, for example, when top secret data stolen from the U.S. defense contractors Lockheed Martin and Boeing was used to build the People’s Liberation Army’s FC-31 Stealth Fighter.
The Guam breach in the South Pacific by Volt Typhoon was a “living-off-the-land” attack. Unlike traditional attacks, “living off the land” attacks are fileless: there’s no need for attackers to trick the target into installing any malware to execute. Instead, “living-off-the-land” attacks leverage existing system software to do damage, making intrusion far harder to detect.
Though Volt Typhoon activity has been observed as far back as mid-2021, it’s plausible that the group has been active in the shadows for considerably longer. Even the group’s name could cause confusion. While Microsoft offered up the cool Volt Typhoon name after spotting the group’s activity, it doesn’t tell us anything about their profile. For security teams trying to understand the big picture, cybersecurity’s lack of standardized naming conventions could make potentially related breaches appear as isolated incidents by disparate groups, rather than the result of ongoing, synchronized, state-sponsored programs.
Keeping the rainbow out of reach
The threats posed by emerging state-sponsored threat actors are often misunderstood, from China and beyond. But they are very real risks. The covert installation of “sleeper software” in a system lets a threat actor execute a future attack, a digital echo of Cold War-era fears that “sleeper” saboteurs from the Soviet Union were laying the groundwork for future attacks. Like an assassin with a civilian cover, sleeper software can sit unnoticed in a system for years. Then, when a state decides to strike, they can execute the sleeper software as part of a synchronized attack on military installations, power grids, communications systems, hospitals, industrial plant`s — or any other infrastructure of strategic significance.
For security leaders, here’s the reality: if a state-sponsored actor wants to breach an organization, it’s impossible to have 100% certainty that the security team at the target company has blocked and will continue to block all of their efforts. State-sponsored groups have the resources, skills and time to methodically dissect the defenses of important targets. They can even breach air gaps. They’ll find a way in eventually.
Security teams must recognize this and focus on measures to mitigate the impact if a breach does occur. Network segregation and the ability to isolate affected aspects of an environment can make it easier to effectively contain an incident. Make it harder for them to reach the end of the rainbow. Even the following best practices — which might seem obvious to some, but are absent in many organizations — can prevent or slow down an attacker.
Some of these best practices include: multi-factor authentication; strong password enforcement with a 90-day reset policy; setting to permit-only approved software on company assets; and employee training – such as phishing exercises.
Despite high-profile state-sponsored attacks, most CISOs focus on mitigating the “spray and pray” approaches of financially-motivated actors responsible for the vast majority of known breaches. These threat actors, such as ransomware groups, seek quick payouts to maximize profits. But state-sponsored actors can bide their time.
The implications of global cyber escalation
We should not view the discovery of Volt Typhoon as proof that state-sponsored cyberespionage exists — we’ve known that for a while — but as a sign of the potential for escalation in the global cyber conflict. State-backed threat actors are rapidly proliferating, and China stands as but one adversary among many.
Physical violence often generally requires the presence of at least one human operative inside the country where targets are located. States such as Russia, North Korea, and Iran recognize cyberattacks as a cost-effective opportunity compared to conventional espionage or other targeted attacks.
If apprehended in a conventional attack, the operative’s national identity and background are often enough for authorities to point the finger accurately at the foreign state responsible, with all the geopolitical ramifications that would cause. In contrast, cyberattacks are often anonymous by nature. Even when teams of analysts work around the clock to identify the likely source of a cyberattack, a nation-state has some level of plausible deniability. In this uncertainty lies the opportunity.
Ronen Ahdut, cyber threat intelligence lead, Cynet