Battening Down the Hatches for the Coming [Volt] Typhoon: Preventing Chinese Cyber Attacks on U.S. Critical Infrastructure

In recent months, Chinese-based cyber-attacks have inundated critical American infrastructure, which has raised concerns amongst U.S. officials, national security experts, and cybersecurity experts about our ability to detect and prevent similar attacks like this in both the public and private sectors. One of the most alarming concerns is that these attacks, part of a campaign known as Volt Typhoon, demonstrate a shift in apparent goals and a potential preparation for future operations to inhibit the United States ability to protect itself but, more likely, its ability to protect its allies – specifically in the Indo-Pacific region. As the United States and China grapple with an increasingly antagonistic relationship, the importance of detecting, preventing, and addressing such cyber threats cannot be overstated.

In this blog post, we aim to concisely offer insights into best practices for identifying malicious actors during an ongoing threat, implementing preventive measures to position your organization/agency for preemptive defense, and highlighting the significance of a unified strategic relationship between the public and private sectors to stay ahead in security innovation against evolving threats.

For additional context on the Volt Typhoon attacks, we encourage you to read this coverage from The Washington Post.

Detecting the Threat

Volt Typhoon represents a significant departure from past Chinese cyber activities, signaling a clear change in apparent goals. The hackers, affiliated with China’s People’s Liberation Army, have targeted about two dozen critical entities, including power and water utilities, communications, and transportation systems. Intercepted intelligence suggests that the Chinese military aims to disrupt critical infrastructure in the event of a U.S.-China conflict in the Pacific, indicating a strategic shift from traditional political and economic espionage.

To detect cyber threats like Volt Typhoon, a multi-faceted approach is necessary. The Five Eyes intelligence alliance, comprising the U.S., Britain, Canada, Australia, and New Zealand, has advised on how to hunt for intruders, emphasizing the challenge of evading detection by using legitimate tools. This technique, known as “living off the land,” requires a keen understanding of normal network activity and the ability to differentiate it from malicious actions. Collaboration between intelligence agencies and private sector companies, such as Microsoft, plays a crucial role in sharing information about adversary tactics and indicators of compromise.

R3’s best practices and overall recommendations for detecting a cyber-attack from happening at your organization/agency are to:

• Enhanced Network Monitoring: Implement advanced network monitoring tools to scrutinize network traffic for unusual patterns or behaviors and leverage intrusion detection systems to identify potential malicious activities.
• Conduct a Behavioral Analysis: Employ behavioral analysis to detect deviations from normal network behavior. Look for anomalies in user behavior, file access patterns, and system activities.
• Analyze System Logs: Regularly review and analyze system logs for any suspicious or unauthorized activities. Identify and investigate any unusual login attempts or access patterns.
• Threat Intelligence Sharing: Participate in threat intelligence sharing programs to stay informed about emerging threats. Collaborate with industry peers and government agencies to exchange information on known threat indicators.
• Endpoint Detection and Response (EDR): Implement EDR solutions to monitor and respond to suspicious activities on endpoints. Use advanced endpoint protection to detect and block malicious actions.
• Incident Response Planning: Develop and regularly update an incident response plan to ensure a swift and coordinated response to security incidents. Conduct regular drills and simulations to test the effectiveness of the response plan.
• User Training and Awareness: Provide comprehensive cybersecurity training to employees to enhance their awareness of phishing and social engineering tactics. Encourage a culture of security within the organization.
• Continuous Vulnerability Assessment: Conduct regular vulnerability assessments to identify and address potential weaknesses in the network. Patch and update systems promptly to mitigate known vulnerabilities.
• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. Isolate critical systems to minimize the impact of a potential breach.
• Use of Deception Technologies: Deploy deception technologies, such as honeypots, to lure and identify attackers. Monitor and analyze activities within deceptive environments to gather intelligence on potential threats.

Preventing Future Attacks

Preventing cyber-attacks on critical infrastructure requires proactive measures and collaboration between the public and private sectors. The importance of mass password resets and enhanced monitoring of high-privilege accounts cannot be overstated. Additionally, urging companies to implement more secure forms of multifactor authentication, such as hardware tokens, adds an extra layer of defense against potential breaches.

The intercepted intelligence supports the U.S. National Intelligence assessment that China “almost certainly is capable” of disrupting U.S. critical infrastructure. As such, it is imperative to fortify cybersecurity measures and invest in technologies that can identify and neutralize emerging threats promptly.

Best practices for implementing a security infrastructure that will put your organization/agency in the best position to prevent an attack are to:

• Develop and Conduct Employee Training and Awareness: Conduct regular cybersecurity awareness training for employees to recognize and avoid phishing attempts, social engineering, and other cyber threats.
• Access Control and Least Privilege: Enforce the principle of least privilege to restrict user access only to necessary resources. Implement strong access controls and regularly review user permissions.
• Multi-Factor Authentication (MFA): Require the use of MFA to add an extra layer of authentication, reducing the risk of unauthorized access.
• Regular Software Updates and Patching: Keep all software, including operating systems and applications, up to date with the latest security patches. Implement a systematic approach to patch management.
• Network Security: Utilize firewalls to monitor and control incoming and outgoing network traffic. Implement intrusion detection and prevention systems to identify and block potential threats.
• Endpoint Protection: Install and regularly update antivirus and anti-malware software on all endpoints. Implement endpoint detection and response (EDR) solutions for real-time threat detection.
• Data Encryption: Encrypt sensitive data both in transit and at rest to protect it from unauthorized access. Use strong encryption protocols to secure communications.
• Regular Security Audits and Assessments: Conduct regular security audits and assessments to identify vulnerabilities. Address and remediate vulnerabilities promptly to reduce the attack surface.
• Incident Response Plan: Develop and maintain a comprehensive incident response plan to guide actions during a security incident. Ensure that the response plan is regularly tested through drills and simulations.
• Network Segmentation: Implement network segmentation to isolate critical systems and limit the lateral movement of attackers within the network.
• Backup and Disaster Recovery: Regularly back up critical data and ensure that backups are stored in a secure, offsite location. Develop and test a robust disaster recovery plan to minimize downtime in the event of an attack.
• Secure Configuration Practices: Follow secure configuration practices for hardware, software, and network devices. Disable unnecessary services and features that could be exploited by attackers.
• Collaboration with Security Partners: Engage in information sharing with security partners, government agencies, and industry peers to stay informed about emerging threats.
• Regular Security Training and Drills: Conduct regular security training sessions for employees to reinforce good security practices. Perform simulated cyber attack drills to assess and improve incident response capabilities.

Public-Private Partnership

The U.S. government has long recognized the necessity of improving coordination with the private sector, which owns and operates the majority of the nation’s critical infrastructure. Companies like Microsoft actively contribute by sharing anonymized information about cyber threats, tactics, and mitigations. This collaboration enhances the collective ability to detect and respond to emerging threats effectively.