The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and other agencies in the U.S. and worldwide have issued a warning to critical infrastructure leaders to protect their systems against the Chinese hacking group known as Volt Typhoon. This alert comes after revelations that Chinese hackers breached multiple U.S. critical infrastructure organizations, maintaining access to at least one of them for over five years before detection.
In a collaborative effort, the NSA, FBI, other U.S. government agencies, and Five Eyes cybersecurity agencies from Australia, Canada, the United Kingdom, and New Zealand have provided defense tips to detect and defend against Volt Typhoon attacks. The cyber espionage group's targets and tactics suggest their objective is to gain access to Operational Technology (OT) assets within networks, potentially exploiting this access to disrupt critical infrastructure during military conflicts or geopolitical tensions.
U.S. authorities, including CISA and partner agencies like the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, and the Department of Treasury, advise critical infrastructure leaders to empower their cybersecurity teams to make informed resourcing decisions, secure their supply chain, and ensure that performance management outcomes align with their organization's cyber goals.
The joint guidance emphasizes the importance of robust logging for applications and systems, storing logs in a central system, and ensuring that IT teams maintain relevant logs to effectively detect compromise. Volt Typhoon, also known as Bronze Silhouette, has been targeting U.S. critical infrastructure organizations since at least mid-2021, using a botnet of small office/home offices (SOHO) across the U.S., dubbed KV-botnet, to hide their malicious activity and evade detection.
The FBI disrupted the group's KV-botnet in December, but the hackers failed to rebuild it after Lumen's Black Lotus Labs sinkholed the remaining command and control (C2) and payload servers. Following the dismantling of the KV-botnet, CISA and the FBI urged SOHO router manufacturers to secure their devices against Volt Typhoon attacks by using secure configuration defaults and eliminating web management interface flaws during development.