In February 2024, CISA issued a secondadvisory on the PRC-state-backed VoltTyphoon (the first was in May 2023). AtH2OSeccon, BlastWave led a paneldiscussion with our partner Gray Matter Systems,discussing cyberattacks, witha particularfocus on the threats to water systemsposed by Volt Typhoon. Thisissue is sopressing that our customers often ask, ‘Arethey a significant risk toour water system?’

The advisory made one thing very clear: Volt Typhoon has been pre-positioningtheir stolen access and living off the land (LOTL) on IT networks with the goal oflateral movement to OT assets to disrupt functions. Many of the public hacksthat have occurred are believed to be test runs for future coordinated actions.The US agencies are deeply concerned about the potential for Volt Typhoon tobecome active on the networks they are hiding on to support other geopoliticalactivities worldwide, a threat that could have severe implications for watersystem operators and organizations vulnerable to cyber threats.

Volt Typhoon is known for conducting extensive reconnaissance on the organization and compromising valid accounts by stealing credentials (phishing is a common technique). Once they gain initial access, they conduct in-depth reconnaissance on the target. Through their reconnaissance, they identify the known vulnerabilities on the network (in network elements, OT devices, etc.). They can then optimize their tactics, techniques, and procedures (TTPs) to ensure they can hide (LOTL) and become active when they pounce through lateral movement. The diagram below (Credit CISA) demonstrates typical Volt Typhoon Activity.

Reconnaissance: They can’t perform reconnaissance if they can’t see your network. You can effectively deter Volt Typhoon’s reconnaissance attempts by implementing robust security techniques like Network Cloaking. Volt Typhoon looks for information on the organization, staff, and network (to target phishing or to identify key accounts to attempt to compromise) and its network (to look for known vulnerabilities).

Initial Access: Volt Typhoon is known to exploit publicly available vulnerabilities in network appliances from Fortinet, Ivanti, Netgear, Citrix, and Cisco. Besides the obvious (Don’t use these systems for OT Security!), network cloaking and patching these systems is key to preventing these exploits. Protecting your OT network with a different system than your IT network is also advisable in these scenarios, as using the same security system throughout your network creates a fast lane for vulnerability exploitation.

Credential Access: Volt Typhoon is known to obtain credentials from compromised appliances, either stealing credentials insecurely stored on the appliance or extracting the Active Directory Database file and cracking the hashing used to protect passwords offline. Again, the obvious solution is not to use passwords so no credentials can be stolen.

‍