U.S. and Partners Release Joint Cybersecurity Advisory on Volt Typhoon

On May 24, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory informing of tactics, techniques and procedures (TTPs) of Chinese state-sponsored cyber actor Volt Typhoon. That actor targeted U.S. critical infrastructure, and the authoring agencies believe that similar techniques could be employed against targets worldwide. The statement was authored by the U.S.’s CISA, National Security Agency, and the FBI, and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

The CISA alert warns that Volt Typhoon is relying on the TTP known as living-off-the-land, “which uses built-in network administration tools to perform their objectives.” The document provides detection signatures that can help network defenders identify this activity, and recommends a series of mitigations to improve an organization’s cybersecurity posture. Importantly, the alert cautions that some of the indicators “can also be legitimate system administration commands that appear in benign activity.” Therefore, they recommend “not to assume that findings are malicious without further investigation or other indications of compromise.”

A Microsoft Threat Intelligence blog on Volt Typhoon, released the same day as the CISA alert, details the threat actor’s campaign against “critical infrastructure organizations in Guam and elsewhere in the United States.” Although Volt Typhoon has typically focused on espionage and information gathering, Microsoft “assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

You can read the joint cybersecurity advisory here or below: