Last week the FBI Director, CISA Director, NSA Director, and National Cyber Director testified publicly about current and ongoing threats to US critical infrastructure providers by Chinese state-sponsored entities known as Volt Typhoon. They detailed how those entities “are seeking to pre-position themselves on [information technology] networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States.”
Today those three agencies, in partnership with the US Department of Energy, Environmental Protection Agency, Transportation Security Agency, the Canadian Centre for Cyber Security (CCCS), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and the New Zealand National Cyber Security Centre (NCSC-NZ) released a cybersecurity advisory with technical details and mitigations to help critical infrastructure owners and operators respond to that threat. The advisory reads, in part:
The US authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to [operational technology] assets to disrupt functions. The US authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to US infrastructure, but should US infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.
The full advisory is available on CISA’s website. While intended primarily for distribution to Chief Information Security Officers (CISOs) and IT staff, it nonetheless provides information that enterprise leaders and counsel in critical infrastructure sectors may find valuable when reviewing policies and decisions relating to cyber risk mitigation. The advisory also provides an opportunity to engage with CISOs on their ability to prevent, detect, and mitigate threats, as well as to review corporate governance and planning for cybersecurity incidents.