Volt Typhoon is a nation-state cyber espionage group. Their objective is to compromise the United States' critical infrastructure. In this article, we're going to talk about the cyber threat posed by Volt Typhoon, as well as mitigation strategies for financial institutions.
About the Name: Volt Typhoon
The Microsoft Threat Actor Naming Taxonomy was created to help security experts quickly identify threat actors. Anytime you see the word "Typhoon" in a threat actor name, this signals the threat actor is from China. Any words appended to it (like Volt, Flax, Salt, etc.) are added to differentiate among the different threat actor groups.
About the Threat
Volt Typhoon's operations are aimed at gathering intelligence (a.k.a., cyber espionage).
They have historically done this using a technique called "Living off the Land" (LOTL). They get in using compromised credentials or exploiting vulnerabilities, but then use legitimate system tools instead of malware to gather information. This makes their attacks harder to detect because traditional security systems see their actions as "normal" activity.
While Volt Typhoon's focus has centered around espionage, there is concern the access could be used to sabotage the systems, resulting in widespread disruption to critical infrastructure.
Mitigation Strategies
As with many cyber threats, the best strategy involves a layered approach to prevent, detect, and respond to the threat.
- Prevent: Financial institutions can help prevent Volt Typhoon from compromising their systems with good cyber hygiene. This incudes things like patch management, multi-factor authentication (MFA), logging and monitoring, IT asset management, and third-party risk management, to name a few.
- Detect: Financial institutions can detect Volt Typhoon activity by performing ongoing monitoring and looking for known indicators of compromise (IOCs). A current list of Volt Typhoon IOCs can be found on the Cybersecurity and Infrastructure Security Agency (CISA) website: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a.
- Respond: Financial institutions can respond to incidents caused by Volt Typhoon by having a well-designed Business Continuity Plan and Incident Response Plan. If you are compromised by Volt Typhoon, you are encouraged to report the activity to CISA via their Incident Reporting Form: https://myservices.cisa.gov/irf.
Need Help?
If you need assistance with protecting your financial institution from threats like Volt Typhoon, CoNetrix is here to help.
- CoNetrix Technology provides managed IT services, including endpoint protection, network monitoring and logging, and intrusion detection and prevention (IDS/IPS).
- CoNetrix Security provides assurance and testing services, including IT audits, penetration testing, and vulnerability assessments.
- Tandem provides a suite of applications, designed to help you create your information security program, including Incident Management, Business Continuity Plan, and Vendor Management.
If you would like to learn more about how CoNetrix can help you, Contact Us.
Further Reading
- CISA Cybersecurity Advisory: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (May 24, 2023)
- CISA Cybersecurity Advisory: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (February 7, 2024)
- CISA Fact Sheet: PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders (March 19, 2024)