Hackers with the Chinese state-sponsored threat group Volt Typhoon continue to hide away in computers and networks of U.S. critical infrastructure entities, “pre-positioning” themselves to disrupt operations if conflicts between the United States and China arise, according to the top U.S. cybersecurity agency.

In a stark warning this week, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and National Security Agency said that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations in such sectors as communications, energy, transportation, and water and wastewater systems in the United States and some of its territories, including Guam.

The advanced persistent threat (APT) group has hidden in some systems for as long as five years, essentially using the IT systems as the into organizations’ operational technologies (OT).

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” CISA wrote in the report, which also included U.S. Transportation Security Administration, Environmental Protection Agency, and Energy Department, as well as government agencies from Canada, the UK, Australia, and New Zealand.

A Patient Threat Group

The hackers behind Volt Typhoon do a lot of reconnaissance before launching their attacks, learning as much as possible about the organizations they’re targeting and their IT environment and then adapting their tactics accordingly, according to CISA.

From there, they work to keep a presence in the systems and continue to collect information about target, even after the initial compromise.

“The use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure,” the agency wrote. “The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence.”

The agencies are urging IT and OT administrators at critical infrastructure organizations to hunt through their systems for indications of Volt Typhoon’s presence and to root it out if found. They laid out mitigation guidelines that could be followed, both in the advisory and in previous releases about LOTL techniques.

U.S. Targets Volt Typhoon

The warning about Volt Typhoon – which also is known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus – comes fewer than two weeks after the U.S. Justice Department (DOJ) said it had taken down a botnet comprising hundreds of Cisco and Netgear routers for home and small offices that was being used by the threat group.

The DOJ said Volt Typhoon had been using the KV Botnet to conceal it’s the China origins of its malicious activities against the United States. CISA had issued an advisory in May 2023 about Volt Typhoon targeting such networking gear as part of its LOTL efforts.

At the time that the DOJ announced the takedown of the KV Botnet, Toby Lewis, global head of threat analysis at cybersecurity vendor Darktrace, said the operation likely disrupted Volt Typhoon’s infrastructure, but noted that the hackers were still free.

“Targeting infrastructure and dismantling attacker capabilities usually leads to a period of quiet from the actors where they rebuild and retool, which we’re probably going to see now,” Lewis said. “The government’s ambitious approach to mimic attacker’s own command network is a win in the short-term, but there is no way to guarantee that this has a lasting impact on the threat landscape.”

That said, researchers with Lumen Technologies’ Black Lotus Labs group wrote this week that the KV Botnet is still out of action, though they warned that there still is a large number of out-of-date and end-of-life edge devices on the internet that no longer get patches but are still in service.

“Attackers will continue to target medium to high-bandwidth devices as a springboard in the geographic areas of their targets, given that users will be unlikely to notice an impact, or to have the necessary monitoring forensic tools to detect an infection,” they wrote.

 Agencies Warn of China’s Cyberthreats

CISA’s advisory also comes as U.S. government officials continue to warn about the ongoing cyberthreat from the Chinese government. Speaking during a Congressional hearing last week, FBI Director Christoper Wray said the “dangerous actions” of the Chinese Communist Party’s “multi-pronged assault on our national and economic security make it the defining threat of our generation.”

Wray, whose given lawmaker similar warnings at other hearings, said that not enough public attention has been paid to the effort by Chinese hackers to target U.S. critical infrastructure and the risks those efforts post to American citizens.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities,” he said. “If or when China decides the time has come to strike, they’re not focused solely on political or military targets. We can see from where they position themselves, across civilian infrastructure, that low blows aren’t just a possibility in the event of a conflict. Low blows against civilians are part of China’s plan.”

In its 2023 annual threat report, the U.S. Office of the Director of National Intelligence called China “the broadest, most active, and persistent cyber espionage threat to the U.S. Government and private-sector networks,” stressing the adversarial country’s capabilities to launch cyberattacks against critical infrastructure.

The office added that China likely has the capabilities to launch cyberattacks against critical infrastructure like oil and gas pipelines and rail systems in the United States.

Volt Typhoon isn’t the only China-sponsored group looking to work their way into networking gear to move into organizations’ environments. Government agencies in both the United States and Japan last year said the BlackTech group was manipulating gear from Cisco and possibly other vendors to maintain a presence in the networks of U.S. and East Asian multinational companies.