Defending Against Volt Typhoon: China’s State-Sponsored Cyberattack Group

February 23rd, 2024 | Cyber Threats

Threat actors are employing increasingly sophisticated tactics to damage and disrupt US businesses and critical infrastructure. One of these major threat groups is the Chinese state-sponsored cyberattack team “Volt Typhoon” (source).  

First identified in 2023, Volt Typhoon has established itself as a capable and persistent threat actor. CISA (the cyber division of the DHS) issued a security advisory regarding the Volt Typhoon Group, warning organizations about the threat Volt Typhoon represents. The FBI and NSA have also issued statements warning the public about this cyberattack group.  

It’s crucial that businesses take this threat seriously and work to become resilient. A resilient business has implemented multiple layers of security; mitigating the likelihood and potential impact of an attack. The emergence of sophisticated threat actors like Volt Typhoon necessitates advanced detection tools, and a real security team to investigate and respond to threats. 

How Volt Typhoon Operates

Most cyber threat groups rely heavily on social engineering attacks – Volt Typhoon adopts a more subtle approach, utilizing what is known as “living-off-the-land” (LOTL) techniques. These techniques involve leveraging normal tools and mundane processes within a target environment, essentially blending in with boring everyday IT infrastructure.  

Initial Access and Operations 

Volt Typhoon primarily exploits external vulnerabilities, or weaknesses in your internet-facing services, to gain access into target networks.

Persistence and Minimal Activity 

Once inside a compromised environment, Volt Typhoon operatives lay low, doing the minimum to establish and maintain a foothold on their target’s IT. This low-and-slow approach enables them to evade detection for extended periods, making it imperative for organizations to advanced threat detection tools. 

Strike

Volt Typhoon’s attacks differ from other threat groups. They work to patiently exfiltrate trade secrets and valuable data from businesses and further infiltrate critical infrastructure, rather than conduct flashy ransomware attacks.

Risk to SaaS Applications 

It’s important to note that Volt Typhoon’s approach also puts the authentication to your SaaS tools at risk. Therefore, it’s crucial to understand where your critical information is stored and to be aware of the Data Processing Agreements (DPA), security posture, and recovery options offered by your business-critical SaaS providers. It’s wise to ask your vendors about certifications such as SOC 2 Type 2 to understand how they protect your data. 

Defense Strategies for Volt Typhoon

For years, we have collaborated with CISA (Cybersecurity and Infrastructure Security Agency) to educate businesses on threats like Volt Typhoon and how to protect your business from them. Here’s our recommendation: 

  1. Managed Detection and Response (MDR) Implementing MDR allows organizations to detect LOTL techniques and protect their computers and servers. 
  2. Security Information and Event Management (SIEM) SIEM enables organizations to effectively monitor and investigate activity across your IT. SIEM provides 3 key things – centralization of your security events (logs), threat correlation using events from multiple different IT systems, and long-term data retention.  
    1. Centralization is necessary for your security team to effectively monitor your IT environment. Without SIEM, your security data will be stored in too many places for a team to reasonably monitor it. Threats will take significantly longer to detect. 
    2. Because SIEM is collecting information from multiple IT assets, it can detect broader threat patterns. SIEM can recognize more sophisticated threat techniques like LOTL because it can piece together seemingly harmless activities within individual tools into a broader threat pattern. 
    3. Data retention sounds boring, but it is incredibly important! Some cyberattacks last months and your security team is going to need logs from when they first gained access to your IT to uncover the scope of the attack. If you can’t find the point where you were compromised, you must treat everything as compromised because you can’t prove that it isn’t. This will lead to an extremely unpleasant recovery because you’ll have to rip and replace everything in question. 
  3. Security Operations Center (SOC) Monitoring Get a Security Operations Center (SOC) to monitor SIEM and MDR alerts, and investigate suspicious indicators is essential for detecting and responding to sophisticated threat actors. If you do not have a 24/7 SOC team continuously monitoring your detection tools, then you will be slow to detect threats and react to them. You will only find out about a compromise once the threat actor has disrupted your business. 
  4. Regular Vulnerability Scanning Volt Typhoons utilize initial access through external means, and once inside a system, they can exploit internal vulnerabilities to escalate their privileges. By conducting regular scans of external and internal systems, organizations can identify and remediate potential weaknesses before they can be exploited by Volt Typhoon or other threat actors. Defending against the cyberthreats posed by teams like Volt Typhoon requires a proactive and multi-layered approach to security. By implementing robust defensive measures and leveraging advanced technologies such as MDR and SIEM, organizations can enhance their resilience and mitigate the risk of falling victim to sophisticated cyber-attacks.  

How We are Responding to Volt Typhoon

We have taken an approach of continuous improvement when it comes to our own security. The threats are always evolving, so our security must evolve alongside it. Over the past year we have grown our security team to support our internal security initiatives and our security service delivery to our clients. This includes: 

  • Actively participating with the industry to stay aware of threats and refinements to tools, processes, and people. 
  • Regularly looking for advisories from our tool vendors about best practices for hardening. 
  • Driving a culture of security awareness and resiliency – every member of our team understands their role in security – it isn’t just an IT problem. 
  • Regularly evaluating the next generation of security tools coming from the enterprise space to SMBs. 
  • Assessing our own security posture, risks, and strategy – and address our gaps (innovate). 
  • Synthesizing all of the things we’re doing for ourselves and guiding our clients on how to turn security from just an IT conversation into something that spans the entire business. 

Raising Our Security Standard for Our Clients 

What used to be our advanced security offering is now our Standard. We want our clients to be prepared for an attack when it happens, and to be able to stand a chance against more sophisticated threat actors. Our Security Standard service includes everything CISA recommends to protect against Volt Typhoon, because we want them to be resilient and ready for an attack so they can continue their operations and minimize the damage and disruption to their business.  

We emphasize that IT is only part of security, and we’re helping our clients understand the business-side of security, ensuring a holistic approach to their defense strategy. 

Get a Security Partner

It is crucial that you have a trusted security partner who understands your business and can guide you on how to protect yourself. If you do not have the right partner, reach out to us and we will get you the help you need.