Volt Typhoon Living-Off-the-Land Tactics Detailed — March 7, 2024
International partners warned that PRC actors are hiding inside critical infrastructure networks by abusing built-in tools and unmanaged assets.
Executive briefing: On CISA, NSA, FBI, and international partners released Cybersecurity Advisory AA24-064A, highlighting how People’s Republic of China (PRC) state-sponsored actor Volt Typhoon persists within U.S. critical infrastructure environments. The advisory expands on 2023 warnings with newly observed living-off-the-land techniques.
Highlighted tactics
- Exploitation of default credentials. The group targets small office/home office (SOHO) routers and unpatched appliances to gain initial footholds without deploying malware.
- Native tool abuse. Volt Typhoon relies on PowerShell, WMI, Task Scheduler, and built-in network utilities to blend with legitimate administrator activity.
- Hands-on-keyboard operations. Operators manually stage data exfiltration, credential theft, and operational technology reconnaissance to support potential disruption campaigns.
Mitigation guidance
- Prioritize asset discovery and patching for edge devices, unmanaged OT controllers, and remote management interfaces.
- Implement robust logging across Windows event channels, PowerShell transcription, and network monitoring to detect anomalous command usage.
- Adopt network segmentation and application allowlisting to constrain credential misuse and lateral movement between IT and OT zones.
Program alignment
- NIST CSF 2.0 ID.AM & PR.PS. Maintaining authoritative asset inventories and hardened privileged access helps satisfy updated framework outcomes.
- CISA Cross-Sector CPGs. The advisory reinforces PG.1 (Asset Visibility), PG.4 (Privilege Management), and PG.8 (Network Segmentation).
- Sector-specific mandates. Electric utilities, water systems, and pipeline operators should map guidance to NERC CIP, AWWA, and TSA directives, respectively.