On May 24, 2023, Microsoft announced the detection of a direct threat to critical infrastructure organizations in Guam and elsewhere in the United States. The alert attributed observed malicious activity to a state-sponsored actor, based in China, known as Volt Typhoon. The targeted organizations represented entities across the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. Active since 2021, this malicious campaign initially appeared similar to other Chinese state-sponsored campaigns which have typically focused on intelligence-gathering and espionage. Indeed, since 2014, there have been at least eight major cyberattacks attributed to China, all of which focused on surveillance, espionage, or intellectual property theft. Viewed this way, Microsoft’s discovery of Volt Typhoon’s malicious campaign was concerning, but nothing new.
What distinguished this announcement, however, was Microsoft’s “moderate confidence” that more recent activity was emblematic of a strategic shift from long-term surveillance tactics to the development of an offensive capability to disrupt critical communications infrastructure. Microsoft revealed that Volt Typhoon had hidden malware deep inside the networks controlling America’s power grids, water supplies, information technology, and communications systems. This malware relies almost exclusively on living-off-the-land techniques and hands-on-keyboard activity to maintain stealth which can be potentially operationalized when necessary. More concerning was the presence of Volt Typhoon’s malware embedded in critical infrastructure near U.S. military bases in Guam, which had the potential to disrupt critical communications between the United States and Asia during a kinetic conflict with China.
Subsequent reporting from The New York Times indicated that since Microsoft’s discovery, “[m]ore than a dozen U.S. officials and industry experts said … that the Chinese effort goes far beyond telecommunications systems” and that “there is a debate inside the administration over whether the goal of the operation is primarily aimed at disrupting the military, or at civilian life more broadly in the event of a conflict.” From a defensive planning perspective, it is best to assume that this strategic shift has multiple objectives – continued intelligence gathering with an emphasis on crippling or delaying a U.S. military response in the event of a kinetic attack, and sowing chaos in the communities that support these military installations. In other words, the presence of the Volt Typhoon malware in U.S. critical infrastructure represents a strategic pivot from surveillance operations to an offensive war planning capability that should be viewed in the context of the current geopolitical climate.
Evolution of the Threat and Geopolitical Context
From a geopolitical perspective, the modern history of China’s relationship with the United States has been marked by several significant shifts. After a period of “opening dialogues” initiated during the Nixon Administration, relations were normalized in 1979. Until the collapse of the Soviet Union in 1991, China and the U.S. existed as tacit allies with a joint interest in countering Soviet power.
Throughout the 1990s and early 2000s, the two powers could be characterized as nominally cooperative but deeply competitive, particularly with regard to economic power. With the rise to power of President Xi Jinping in 2013, China began to assert a markedly more aggressive foreign policy and, through its Belt-and-Road initiative, more directly challenged U.S. global economic dominance. The escalating tensions between China and the U.S. brought the relationship between China and Russia closer. China’s steadfast support for Russia in the wake of the latter’s invasion of Ukraine has raised tensions to a new level amid concerns about China’s own territorial aspirations vis-a-vis Taiwan. This situation has placed China and the U.S. in the most direct confrontational posture of the modern era with the prospect of direct military confrontation a potential outcome. Therefore, the shift to a more aggressive posture in cyberspace through the deployment of offensive malware seems consistent with the current tension rising between the U.S. and China.
Methodology
A joint Cybersecurity Advisory (CSA) published by the Cyber Security & Infrastructure Security Agency (CISA), the NSA, the Federal Bureau of Investigation (FBI), and several international partners, provides additional detail on Volt Typhoon’s preferred cyberattack technique, living off the land (LOTL). Traditional malware attacks leverage signature files as attack vectors to carry out the intrusion. LOTL attacks are fileless. As such, they do not involve the installation of malicious code or scripts within the target system. Instead, the attacker uses tools that are already present in the environment, such as PowerShell, Windows Management Instrumentation (WMI), or the password-saving tool, Mimikatz, to execute the attack. Standard malware detection is usually triggered by hard disk write/read access, which means whenever a new file is dropped on the system, anti-virus (AV) tools scan and identify it. As the Microsoft announcement explained, since LOTL techniques avoid a hard disk event, the malicious activity blends in among the normal processes on a system by routing traffic through compromised conduits, such as small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.
The combination of LOTL via compromised SOHO devices, with only manual interaction with these devices for command-and-control purposes, allows the actor to operate covertly by avoiding endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations, according to the CSA. For organizations that utilize traditional script-based virus security software, the use of these native tools via SOHO devices also makes LOTL attacks extremely difficult to detect.
Outdated and Vulnerable to Attack
Many critical infrastructure organizations use legacy Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems which were created at a time when frequent updates and patches were not common. They often run on outdated software and hardware systems, lack network segmentation, and do not use encryption to protect communications, allowing bad actors to monitor network traffic to capture authentication credentials and carry out man-in-the-middle attacks.
ICS security firm Dragos analyzed 212 security advisories in 2019, which identified 438 ICS vulnerabilities. Twenty-six percent of advisories were related to zero-day flaws. In addition, nine percent of the advisories contained vulnerabilities that could potentially allow attackers to move from IT to OT networks. Although this percentage may appear small, this led the credit rating agency Moody’s to mark critical infrastructure organizations as credit negative in June 2023, based on their belief “that sophisticated threat actors such as state-sponsored entities can navigate from IT to OT.”
Consequences of Destructive Malware in U.S. Critical Infrastructure
A successful cyberattack on U.S. critical infrastructure will have other far-reaching consequences given the cascading effect a successful cyberattack one critical infrastructure element can have on another. The dependencies and interdependencies that exist between industries are well known to those in critical infrastructure organizations. For instance, a cyber attack that disables the electrical grid means that waste and water systems will not deliver clean water, natural gas will not flow to produce heat, and communications systems will not work. All of these critical infrastructure elements will remain disabled until power is restored. This also means that any military response to acts of aggression against the United States or its interests may be delayed or disabled.
There is little doubt that the presence of Volt Typhoon’s destructive malware in Guam’s critical infrastructure is anything other than cyber war planning. From a strategic perspective, Guam is ground zero for the U.S. response to a Chinese invasion of Taiwan. Per Stanford University’s Spogli Institute for International Studies, “Guam’s geostrategic potential is rooted in its proximity to China, and represents the westernmost location from which the U.S. can project power, manage logistics, and establish command and control.” In other words, Guam is to China what Pearl Harbor was to Japan.
Given the uniquely interconnected nature of U.S. critical infrastructure ownership and management – estimates generally put private sector ownership of U.S. critical infrastructure assets at 85 percent – it is essential to ensure clear and fluid collaboration between the federal government and the private sector to secure these assets and mitigate risks.
What Government Can Do
Government has a responsibility to lead in responding proactively to this and other threats to the nation’s critical infrastructure. The following recommendations are just some of the actions that should be considered in the near term:
- CISA should prioritize the existing National Critical Functions Set, first released in April 2019. Such a prioritization would help industry assess cross-sector risks and associated dependencies that may have a cascading effect if one critical infrastructure is disabled. As of December 2022, the GAO reported that CISA did not understand how the framework related to prioritizing infrastructure, how it affected planning and operations, or where particular organizations fell within it.
- Streamline and harmonize the dizzying array of cybersecurity and technical standards into a single framework to reduce the compliance costs incurred by critical infrastructure organizations.
- Provide or increase tax and financial incentives to spur private sector cybersecurity investment in critical infrastructure organizations.
- Ensure federal agencies have proper funding and staffing to implement a new, streamlined regulatory framework. This is particularly important to avoid cyber incidents such as the Colonial Pipeline attack, per the GAO.
- Increase federal spending to implement the GAO’s recommendations related to cyber critical infrastructure protection. The GAO has made 106 recommendations since 2010, but only 60 have been implemented.
- Assess the progress of Presidential Policy Directive (PPD-21) and address any deficiencies with federal, state, local, and private sector stakeholders.
- Enhance ICTS supply chain security to limit the risk of supply chain attacks in U.S. critical infrastructure.
What Industry Can Do
- Share information on specific threats through various mechanisms such as good faith compliance with mandatory incident reporting requirements, robust participation in Information Sharing and Analysis Organizations (ISAOs), Sector Coordinating Councils, or the Cybersecurity and Information Sharing Act of 2015.
- Conduct an NIST- compliant or ISO 27001 risk assessment to determine the organization's cybersecurity risks.
- Conduct a risk or criticality assessment of the organization’s ICTS supply chain security to ensure no counterfeit or altered products are acquired and enter the network environment.
- Have a strong business continuity plan (BCP) that outlines how an organization will continue to operate in the event of a disruption. At a minimum, a well-crafted BCP will identify the organization's critical functions, develop strategies for maintaining those functions during a disruption, and assign roles and responsibilities to key personnel. The BCP should be incorporated into the organization’s internal corporate governance process and include incident response and disaster recovery planning in compliance with NIST or ISO 27001 standards (see also ISO 22301 for non-information security BCPs). The U.S. Critical Infrastructure Risk Management Framework, as described in the National Infrastructure Protection Plan, can also be used as a guide to help prioritize risks when setting up these plans.
- Train and test these plans using the worst case scenario. Use training environments with real OT boxes in critical infrastructure, if possible.
- Consider separation of ICS and SCADA networks from general business networks with firewalls and a demilitarized zone (DMZ).
- Have a plan to regularly update and patch your systems, to include SOHO devices that are forward-facing to the internet.
Conclusion
Microsoft’s discovery of Volt Typhoon malware in U.S. critical infrastructure marks a strategic shift in China’s cyber operations from long-term surveillance tactics to war planning. Outdated legacy ICS and SCADA are particularly vulnerable to compromise. Given the interdependencies between critical infrastructure elements, a successful cyberattack on U.S. critical infrastructure would have a cascading effect and significantly disrupt civilian life while crippling or delaying any U.S. military response to a kinetic conflict. It is therefore essential that the federal government and private sector work together to secure critical infrastructure organizations and mitigate risks.
Drawing on frameworks established by the National Initiative for Cybersecurity Education (NICE) and National Institute of Standards and Technology (NIST), our Master’s in Cybersecurity Risk Management emphasizes the competencies and functions needed to address today’s increasingly complex cyber threats, including this one.
About the Authors
Rico Falsone is a senior attorney at Bradley Arant Boult Cummings LLP and an adjunct professor at the Georgetown University School of Continuing Studies. Falsone also served more than 22 years as a Supervisory Special Agent in the Federal Bureau of Investigation (FBI).
Niall P. Brennan is Vice President, Global Security Liaison Officer, and Head of Strategic Security Partnerships and Engagement within the Global Security and Compliance organization of SAP. He served 22 years in the FBI and has over 30 years of experience in a variety of legal, advisory, security, and investigative roles in both the public and private sectors.
Dr. Frederic Lemieux currently serves as Professor of the Practice and Faculty Director of the Master of Professional Studies programs in Applied Intelligence, Cybersecurity Risk Management, Technology Management, and Information Technology Management at Georgetown University.