Cybersecurity & Tech

U.S. and Partners Release Joint Cybersecurity Advisory on Volt Typhoon

Eugenia Lostri
Thursday, May 25, 2023, 4:39 PM
The joint advisory warns of the tactics, techniques, and procedures used by a China state-sponsored cyber actor targeting U.S. critical infrastructure organizations.

Published by The Lawfare Institute
in Cooperation With

On May 24, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory informing of tactics, techniques and procedures (TTPs) of Chinese state-sponsored cyber actor Volt Typhoon. That actor targeted U.S. critical infrastructure, and the authoring agencies believe that similar techniques could be employed against targets worldwide. The statement was authored by the U.S.’s CISA, National Security Agency, and the FBI, and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

The CISA alert warns that Volt Typhoon is relying on the TTP known as living-off-the-land, “which uses built-in network administration tools to perform their objectives.” The document provides detection signatures that can help network defenders identify this activity, and recommends a series of mitigations to improve an organization’s cybersecurity posture. Importantly, the alert cautions that some of the indicators “can also be legitimate system administration commands that appear in benign activity.” Therefore, they recommend “not to assume that findings are malicious without further investigation or other indications of compromise.”

A Microsoft Threat Intelligence blog on Volt Typhoon, released the same day as the CISA alert, details the threat actor’s campaign against “critical infrastructure organizations in Guam and elsewhere in the United States.” Although Volt Typhoon has typically focused on espionage and information gathering, Microsoft “assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.”

You can read the joint cybersecurity advisory here or below:

Eugenia Lostri is Lawfare's Fellow in Technology Policy and Law. Prior to joining Lawfare, she was an Associate Fellow at the Center for Strategic and International Studies (CSIS). She also worked for the Argentinian Secretariat for Strategic Affairs, and the City of Buenos Aires’ Undersecretary for International and Institutional Relations. She holds a law degree from the Universidad Católica Argentina, and an LLM in International Law from The Fletcher School of Law and Diplomacy.

Subscribe to Lawfare