Top cybersecurity agencies in the United States and other countries are again warning critical infrastructure companies about the “urgent risk” posed by Chinese state-sponsored threat group Volt Typhoon and are recommending steps to harden their protections.

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the FBI in an advisory reminded private sector firms about Volt Typhoon’s successful attacks in the United States against organizations in such sectors as communications, energy, transportation, and water and wastewater.

They also noted an earlier advisory they put out in February detailing how the group has already compromised the network systems of critical infrastructure companies to preposition themselves for disrupting or destroying operations in the case of heightened geopolitical tensions or a war between the United States and China. Some of the compromises happened at least five years ago.

The other members of the Five Eyes intelligence alliance – Canada, Australia, New Zealand, and the UK – also signed onto the advisory, adding to the worries about Volt Typhoon.

“This is a critical business risk for every organization in the United States and allied countries,” they said in the advisory. “The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security.”

Sorting Through the Damage

The warning comes a few days after Rob Joyce, the outgoing director of the NSA’s Cybersecurity Directorate, reportedly told reporters at a roundtable discussion late last week that government investigators are still sorting out the extent of the widespread cyberespionage campaign by Volt Typhoon against U.S. critical infrastructure firms.

They are still working to “uncover or eradicate” the threats from Volt Typhoon, Joyce said, adding that they also are “still finding victims and making sure to clear out intrusions.”

Government agencies first publicized Volt Typhoon’s operations about 10 months ago and has since kept a steady drumbeat about the threat in both Congress and among the public. Security agencies earlier this year said a multi-month operation led to the takedown of a botnet the group was using to launch its attacks.

Volt Typhoon was using the KV Botnet that comprised hundreds of infected Cisco and NetGear home and small office routers used to conceal its identity while it ran its campaign. The advanced persistent threat (APT) group – also known as Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, and Insidious Taurus – was able to hide the traffic from its operations among the regular traffic running through the routers.

Spies in the Networks

The most startling of the warnings came in early February, when the Five Eyes group revealed the group’s plans to essentially lay in wait within corporate networks and be ready to attack should a reason arise.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” CISA wrote in the report.

Steps to Take

The agencies outlined steps critical infrastructure organizations should take to protect themselves against Volt Typhoon intrusion, including giving cybersecurity teams more authority to make resourcing decisions to improve the detection of Volt Typhoon and other threats and to better defend against them. That includes using the Cybersecurity Performance Goals (CPGs) or recommendations from industry-specific government security agencies.

Organizations also need to use detection and hardening practices outlined by the government to mitigate living-off-the-land (LOTL) techniques – like mixing network traffic to hide their campaign – to understand the threat from state-sponsored threats from China.

“Volt Typhoon does not rely on malware to maintain access to networks and conduct their activity,” CISA wrote. “Rather, they use built-in functions of a system. This technique, known as “living off the land,” enables them to easily evade detection.”

Organizations also need to ensure continuous cybersecurity training, develop comprehensive security plans, and run tabletop and other cybersecurity exercises. Other recommendations include shoring up the security of their supply chain and keep security front-of-mind, ensuring that business plans align with cybersecurity goals.