Vane3alga

Business
Focused
Technology

Threats and Infrastructure

IT360
IT360

From Arctic Wolf

SUMMARY

On February 7, 2024, CISA issued an advisory detailing their discoveries concerning state-sponsored cyber actors linked to the People’s Republic of China (PRC). Notably, the PRC-affiliated threat actor, Volt Typhoon, is actively engaged in efforts to infiltrate IT networks, with the potential aim of launching cyberattacks on vital U.S. infrastructure in the event of a substantial crisis or conflict with the United States. The targets chosen by Volt Typhoon and their behavioral patterns do not align with their typical cyber espionage or intelligence gathering operations.

Volt Typhoon affiliates were observed targeting the IT systems of critical infrastructure organizations in the United States, particularly in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors. This also includes organizations located in both the contiguous and non-contiguous regions of the United States, such as territories like Guam. Other affected entities include smaller organizations with constrained cybersecurity resources that provide critical services to larger organizations or key geographic locations.

CISA also noted that while a threat to Canada’s Critical Infrastructure is likely lower, there is potential for this activity to impact Canada due to cross-border integration. Furthermore, Australia and New Zealand are identified as potentially vulnerable to similar activities.

VOLT TYPHOON OBSERVED ATTACK CHAIN

CISA and the agencies authoring the advisory detailed how Volt Typhoon conducts attacks. Volt Typhoon begins with conducting extensive reconnaissance to gather intelligence on the target’s network architecture, security measures, and personnel. Using known or zero-day vulnerabilities, they gain initial access and exploit privilege escalation to obtain administrator credentials. 

Leveraging these credentials, they move laterally through the network, conducting discovery while minimizing detection. They eventually gain full domain compromise, achieved by extracting the Active Directory database using techniques like Volume Shadow Copy Service (VSS). Offline password cracking allows them to decipher hashed passwords, gaining elevated access for strategic infiltration. Their focus lies in accessing Operational Technology (OT) assets, such as machines, sensors, and control systems. They persist in testing access to domain resources to advance their objectives. 

RECOMMENDATIONS

Recommendation #1: Prioritize Product Patching

Volt Typhoon has been observed to target Fortinet, Ivanti, NETGEAR, Citrix, and Cisco Devices for initial access. There have been several critical vulnerabilities exploited in these products by threat actors historically, as indicated by CISA’s Known Exploited Vulnerabilities Catalog. Ensure that these products in your environment are updated with the latest patches, such as the recent patches released for Ivanti products, which were observed to be exploited by other Chinese affiliated threat actors earlier in January. 

You can also reference our recent security bulletins, which Arctic Wolf issued to address vulnerabilities found in products that Volt Typhoon has targeted in the past. 

Recommendation #2: Implement Phishing-Resistant MFA

Arctic Wolf strongly recommends enabling MFA for all accounts to protect against brute force attacks and compromised accounts being purchased by threat actors on the dark web and used for initial access in ransomware cases. Please note that enabling MFA may have operational considerations in your environment. 

Recommendation #3: Implement Security Awareness Training

Due to the phishing techniques by the threat actors outlined in this bulletin, Arctic Wolf recommends using security awareness training campaigns so that users are better able to recognize and report suspicious activities associated with sophisticated phishing campaigns.

REFERENCES

Success Stories

Partner, Law Firm

We hired IT360 as our computer hardware and software computer consultants when the company first went into business. Since then, they have helped us purchase new software and hardware equipment that we have instituted into the law firm. Any time we needed them to be there they have been. They have solved all of our problems including: stand alone computers, networking issues, Internet access issues, and software. I would highly recommend IT360 to anybody who needs help in these areas.

Partner, Law Firm

Recent
Technology News

IT360 News
Summer Travel = Cyber Risk

How to stay secure on the go with it360 As summer kicks into full gear, many professionals find themselves working from new locations—whether it’s a vacation rental, a hotel lobby, or the occasional airport gate. While flexible work environments can boost morale and productivity, they also introduce a new wave of cybersecurity risks. We want […]

Read more
IT360 News
Halfway Through 2025: Is Your Tech Strategy on Track?

A mid-year check-in from it360 As we reach the midpoint of 2025, it’s a great time to pause and reflect: is your current IT strategy truly supporting your business goals? We encourage you to use this moment as a strategic checkpoint—to assess performance, identify gaps, and plan with purpose for the second half of the […]

Read more