Western security agencies jointly warn of Chinese Volt Typhoon group

Key US security agencies have joined forces with their Five Eyes intelligence partners to publish a high-level whitepaper to warn businesses of the urgent risk posed by Volt Typhoon, a Chinese state-sponsored hacking group.

The warning has been sent to help critical infrastructure leaders protect their systems or, even better, detect incoming Volt Typhoon attacks in order to defend against them more effectively.

Last year, Volt Typhoon, also known as Insidious Taurus, Bronze Silhouette, Vanguard Panda, or Dev-0391, was identified by US government agencies and international partners as a People’s Republic of China (PRC) state-sponsored threat actor.

The Chinese hacking operation successfully compromised thousands of internet-connected devices and is believed to be part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers, and utilities.

In late January, security researchers from Unit 42, a security arm of Palo Alto Networks, categorized Volt Typhoon as a top-tier cybergang, and FBI director Christopher Wray described the group as “the defining threat of our generation.”

Now, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency, the FBI, and other agencies worldwide have warned critical infrastructure leaders to protect their systems.

The cybersecurity and intelligence agencies all belong to the Five Eyes alliance, an Anglosphere grouping consisting of the US, the United Kingdom, Australia, Canada, and New Zealand.

The fact sheet, released on Tuesday, also “provides guidance on specific actions to prioritize the protection of their organization from this threat activity.”

The agencies earlier warned cybersecurity defenders that Volt Typhoon “has been pre-positioning themselves on US critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies.”

Critical infrastructure leaders are urged to “make informed and proactive resourcing decisions” so that cybersecurity teams can effectively apply detection of threats.

“Volt Typhoon does not rely on malware to maintain access to networks and conduct their activity. Rather, they use built-in functions of a system. This technique, known as ‘living off the land,’ enables them to easily evade detection,” warns the whitepaper.

“To protect against living off the land, organizations need a comprehensive and multifaceted approach.”

Organizations are also advised to secure their supply chains. This way, the likelihood of damage resulting from a compromise could be minimized.

Finally, organizations should, in general, “drive a cybersecurity culture” and encourage collaboration between different units to “align security measures with business objectives and risk management strategies.”

In a separate letter (PDF) to US state governors by Michael Regan, the Environmental Protection Agency administrator, and National Security Advisor Jake Sullivan, threats from Volt Typhoon are also mentioned.

The letter says that the Volt Typhoon group has compromised the information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories.

When Western nations first warned about Volt Typhoon in May 2023, Chinese foreign ministry spokesperson Mao Ning said the hacking allegations were a “collective disinformation campaign” from the Five Eyes countries.