Following a 5-year investigation into China-based cyber threats targeting critical infrastructure, Sophos researchers have attributed specific observed activity to Volt Typhoon, highlighting key behaviors in its Pacific Rim report. The report includes a summary of the adversary’s activity and key takeaways for defenders.

WaterISAC has shared extensively the threat posed by PRC-affiliated actors to the water sector (see below) and is including the takeaways from this report for member awareness and to help bolster the sector’s security. It is highly recommended that organizations work toward securing their edge devices, as these have been identified as one of the primary attack vectors used by these attackers. For more information, visit Sophos and Industrial Cyber.

Sophos includes three key evolving attacker behaviors:

• A shift in focus from indiscriminate, noisy, and widespread attacks to stealthier operations against specific high-value and critical infrastructure targets.
• Evolution in stealth and persistence capabilities with increased use of living-off-the-land and backdoor techniques.
• Improved OPSEC or operational security tactics including sabotaging firewalls and hampering OSINT research by creating a reduced digital footprint.

Sophos’ key takeaways for defenders:

Edge network devices are high-value targets that well-resourced adversaries use for both initial access and persistence. Defenders' detection and response strategies need to take this into account. To aid defenders, Sophos has:

• Provided TTPs and IOCs in the appendix of the detailed timeline to help defenders identify detection opportunities
• Outlined the steps it takes to detect and respond to attacks against its customers’ firewalls

State-sponsored attackers use both zero-day and known vulnerabilities to attack edge devices. This targeting is not unique to Sophos firewalls; as evidenced by published CVEs, all edge devices are a target.

• Closely follow your vendors device hardening guide (Sophos’ is here) to reduce attack surface and limit exploitability of zero-day vulnerabilities, paying particular attention to administrative interfaces
• Enable hotfixes, if supported, and implement processes to monitor your vendors’ vulnerability disclosure communications — and quickly respond accordingly
• Ensure you are running supported hardware and software for which your vendor is committed to releasing security updates

State-sponsored targeting is not limited to high-value espionage targets.

• Threat actors use edge devices as operational relay boxes (ORBs) to attack onward targets and obfuscate the true origin of attacks
• In a tightly connected digital ecosystem, many organizations form part of a critical infrastructure supply chain and may be targeted by actors seeking to disrupt critical services

WaterISAC’s prior analysis regarding PRC-affiliated actors, including Volt Typhoon:

• July 18, 2024 | Partner Reports | Cyber – July 18, 2024
• May 16, 2024 | General Awareness – Ohio Senator Drafts Letter of Concern to CISA about Volt Typhoon
• May 2, 2024 | Cyber Resilience – CISA Emphasizes Threat Posed by China on Critical Infrastructure
• April 23, 2024 | FBI Director Wray Warns of China’s Preparations to Disrupt Critical Infrastructure Including the Water Sector
• March 19, 2024 | (TLP:CLEAR) Joint Factsheet – PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders
• February 8, 2024 | (TLP:CLEAR) WaterISAC Advisory – PRC-sponsored Volt Typhoon Activity and Supplemental Living Off the Land Guidance
• February 1, 2024 | Disrupted Volt Typhoon Botnet and Testimony on Preeminent Cyber Threat Posed by the PRC
• December 14, 2023 | People's Republic of China State-Sponsored Cyber Actor Volt Typhoon (Updated December 14, 2023)
• October 10, 2023 | U.S. Government Report Highlights Increasing Threat to Critical Infrastructure from Chinese State Sponsored Threat Actors
• August 1, 2023 | ICS/OT Threat Awareness – U.S. Highly Concerned about Chinese Malware Potentially Disrupting American Military Operations
• August 1, 2023 | Network Defender Bulletin – Nation State Threat Actor Likely Compromised U.S.-based Critical Infrastructure Operations