Calm before a brewing storm: Managing cyber risk in the era of Volt Typhoon
Published on 21 March 2024 by Executive Director of Cyber Intelligence, Katherine Mansted, Industry Lead for Utilities and Resources, Brett Delongville, and Strategy and Consulting Director, Grant Walsh.
Yesterday, the Australian and New Zealand Governments joined international partners to warn about the “critical business risk” posed by Chinese nation-state actors prepositioning in critical infrastructure. This is a significant shift in cyber threat from just one year ago. At the same time as our threat landscape is deteriorating – and in large part because of this development – critical infrastructure regulation is tightening. In this blog post, we argue that governments and critical infrastructure providers must reassess their level of cyber risk given the threat posed by Volt Typhoon and other, similarly motivated and capable nation-state cyber threat groups.
This is the second warning this year in as many months, after a joint Five Eyes advisory released in February. In May last year, Australia and New Zealand joined their Five Eyes counterparts in publicly attributing to China malicious activity associated with pre-positioning for sabotage of critical infrastructure. The attribution, to a Chinese nation-state group tracked as “Volt Typhoon”, represented a step-change in the cyber threat confronting governments and critical infrastructure providers. All previous attributions of malicious Chinese government cyber activity focussed on espionage and the theft of intellectual property. Since the Volt Typhoon attribution, governments and cyber industry leaders around the world have been increasingly forward-leaning in their warnings about the prepositioning threat. Whether it ultimately follows through, China is almost certainly preparing to use cyber means to conduct disruptive or destructive attacks against critical infrastructure in the United States, Australia, Canada, the United Kingdom and New Zealand.
This changed threat picture means critical infrastructure providers and governments need to reassess their level of cyber risk. Knowing a highly-motivated, highly-capable adversary is targeting critical systems to stop operations and cause harm introduces a need to take action. For entities regulated under the Security of Critical Infrastructure (SOCI) Act, this means managing a material risk.
The first step is assessing the risk – how does Volt Typhoon change the likelihood of an outage of an essential system? The next step is determining the measures that can be put in place to minimise this changed risk profile. The last step is deciding which of these measures accommodate the changed threat environment in a reasonable and proportionate way. Examples of measures open to organisations include strengthening exercises, hunting for a threat actors, redoubling vulnerability management or otherwise uplifting systems already in place.
Whichever way organisations elect to respond, doing nothing is not a good choice. Boards, Ministers, regulators and the public have a growing expectation that organisations are managing their cyber risk effectively. At the very least, this means having an awareness of the level of cyber risk they are carrying and incorporating changes to the threat environment into their security posture.
What is Volt Typhoon and who is a target?
Instead of rapidly gaining system access, exfiltrating data and/or deploying ransomware against an organisation, Volt Typhoon conducts extensive and protracted reconnaissance on its targets before gaining access. Once this is achieved, Volt Typhoon actors maintain a very low profile by ‘living off the land’ and exhibiting minimal activity to avoid detection.
The implication is that Volt Typhoon will know their targets’ infrastructure and be able to leverage vulnerabilities swiftly. This underscores the need for organisations to know their assets and vulnerabilities, and to have an ability to rapidly respond to new threats.
In the US, critical telecommunications, energy, water and transport systems have been targeted (including the offshore territory of Guam, in the Indo-Pacific). US intelligence agencies have indicated that Volt Typhoon may have had access to some critical infrastructure for at least five years. Critical infrastructure in Australia, New Zealand the UK and Canada is also a highly likely target. As recently as last month Five Eyes partner agencies warned of destructive attacks against critical infrastructure, amidst tensions between the US and China.
Organisations with adjacencies to critical infrastructure (the ‘supply chain’) should also consider their threat profile. Federal, state and local government organisations are also prime targets because they operate essential services, the disruption of which would have a significant negative impact on economic and social well-being.
How can organisations respond?
In response CyberCX has developed a rapid threat assessment process for critical infrastructure, the RAPTOR service. Our process leverages CyberCX’s unique Indo-Pacific intelligence holdings, our deep advisory experience across critical infrastructure, and our experience combating sophisticated threat actors in Australian and New Zealand government and critical infrastructure networks.
An overview of the RAPTOR service offering can be requested here.
Other actions organisations can take include:
- Review your threat profile – how likely are you to be targeted?
- Step up threat detection – Volt Typhoon employs stealth tactics to evade detection. The best way to detect this type of activity is a compromise assessment or ‘threat hunt’.
- Uplift key cyber defences – enhance vulnerability management of all internet facing systems, and prioritise patching of critical vulnerabilities known to be exploited by Volt Typhoon.
If you would like further information, please contact us via the link below