People's Republic of China State-Sponsored Cyber Actor Volt Typhoon

August 18, 2023

EPA has released a water and wastewater sector-focused advisory (attached below) that supplements previous government alerts regarding the China state-sponsored threat actor labeled Volt Typhoon (or BRONZESILHOETTE or VANGUARD PANDA), which is suspected of conducting network scanning and other reconnaissance activities targeting U.S. critical infrastructure. In addition to EPA’s sector-specific concerns, prior reporting has shown the federal government is concerned the threat actor may target water and wastewater utilities, particularly if they provide services to military bases. The advisory includes new indicators of compromise (IOCs) that can be used by network defenders to detect if their systems have been breached.

Members should review the advisory’s IOCs and update their network defenses accordingly. The advisory specifically recommends network administrators:

• Scan networks for the known IOCs included in the advisory, and other unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
• Block all listed IP addresses and user-agents listed in the advisory.
• Establish baselines of normal activity, particularly for remote access and administrative actions, and look for outliers from those baselines.

Volt Typhoon is known to prefer living off the land tactics, which enables it to avoid detection by using legitimate network administration tools, so members are encouraged to conduct scanning to uncover suspicious network behavior.

Additional relevant information and resources shared by WaterISAC include:

• (U//FOUO) Network Defender Bulletin (DHS I&A)
• June 28, 2023 WaterISAC Cyber Threat Briefing

If you find any evidence of Volt Typhoon activity, contact the FBI via your local Field Office, Cyber Watch (CyWatch) at (855) 292-3937 or CyWatchCyWatch@fbi.gov, or the Internet Crime Complaint Center (IC3). You can also contact CISA at report@cisa.gov or (888) 282-0870. Additionally, WaterISAC encourages members to share information by emailing analyst@waterisac.org, calling 866-H2O-ISAC, or using the online incident reporting form.

May 25, 2023

Yesterday, CISA, the FBI, the National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) published a joint Cybersecurity Advisory (CSA) to highlight a People’s Republic of China (PRC) state-sponsored actor, also known as Volt Typhoon, that is actively working to compromise critical infrastructure networks and conduct malicious activity.

This advisory provides critical infrastructure organizations and network defenders with new insights into the specific tactics, techniques, and procedures (TTPs) used by PRC threat actors to gain and maintain persistent access into critical infrastructure networks. It demonstrates how PRC cyber actors use a technique called living off the land, which enables these actors to avoid detection by using legitimate network administration tools such as PowerShell, Windows Management Instrumentation (WMI), and Mimikatz.    

The CSA also includes indicators of compromise to help network defenders detect related malicious activity. The authoring agencies encourage network defenders to review the advisory and apply the included mitigations. Recommended mitigations which can help organizations prioritize their investments to most effectively mitigate this activity, include:  

• Baseline protections include harden domain controllers, monitor event logs, limit port proxy usage within environments, and investigate unusual internet protocol (IP) addresses and ports.  
• Logging recommendations include setting audit policy, hunt for windows management instrumentation (WMI) and PowerShell activity and enable logging on their edge devices.   
• Prioritize mitigation of known exploited vulnerabilities (KEV), including those listed in the joint advisory and also in CISA's KEV catalog. 

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatchCyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.