Cyber Threat — Volt Typhoon

On 2 July 2024, CISA, FBI, NSA, the U.S. Department of Energy, and allied cybersecurity agencies from Australia, Canada, New Zealand, and the United Kingdom released an updated joint advisory detailing how People’s Republic of China (PRC) state-sponsored actors burrow into U.S. critical infrastructure. Building on the Volt Typhoon revelations, the advisory outlines living-off-the-land (LOTL) tradecraft that blends legitimate administrative tools, hands-on-keyboard operations, and long-term persistence across IT and operational technology (OT) environments. Targeted sectors include energy, water, communications, and transportation. Operators are urged to assume compromise, prioritize credential hygiene, implement secure remote access, and improve monitoring focused on behavioral anomalies rather than signature-based indicators alone.

The advisory describes threat actors using default credentials, stolen administrator accounts, VPN appliances, and remote management services to pivot laterally. They abuse built-in tools such as PowerShell, Windows Management Instrumentation (WMI), certutil, netsh, PsExec, and scheduled tasks to avoid detection. On Linux and network appliances, they use SSH, BusyBox utilities, cron jobs, and vendor-specific management shells.

Data staging occurs in memory or via removable media to minimize forensic artifacts. Actors deploy web shells, modify router firmware, and maintain persistence using legitimate backup features or device registration portals. The campaign’s objective is to pre-position in U.S. critical infrastructure for potential disruption during geopolitical crises.

Threat techniques and indicators

• Initial access: Exploiting unpatched VPN gateways and perimeter devices (Fortinet, Citrix, Ivanti, Cisco), abusing manufacturer default passwords, and credential stuffing against public-facing services.
• Credential access: Dumping LSASS memory, extracting NTDS.dit, using Mimikatz-like tooling, and using ntdsutil or esentutl for offline credential theft.
• Lateral movement: Using wmic, sc.exe, SMB, RDP, and scheduled tasks; pivoting through ICS support networks and jump hosts; deploying reverse SSH tunnels.
• Persistence: Creating new administrative accounts, enabling Remote Desktop, modifying startup scripts, and using router or firewall configuration backups to reinsert backdoors.
• Defense evasion: Clearing event logs, disabling security tools, using encryption via stunnel or plink, and staging commands in batch scripts executed with legitimate service accounts.
• Command and control: Using commercial cloud infrastructure, dynamic DNS, and compromised small office/home office routers as forward proxies; blending traffic with normal administrative protocols.

Control mapping for defenders

• NIST Cybersecurity Framework 2.0: ID.GV-04 (establish governance), PR.AC-04 (enforce least privilege), PR.AA-06 (continuous authentication), DE.CM-07 (anomalous event detection), and RS.AN-01 (investigation) are directly implicated.
• NIST SP 800-82 Rev. 3: Apply ICS-specific guidance for network segmentation, jump host governance, monitoring of Level 3/Level 2 communications, and incident response integration between IT and OT.
• MITRE ATT&CK: Map observed behaviors to T1078 (Valid Accounts), T1021 (Remote Services), T1105 (Ingress Tool Transfer), T1047 (WMI), T1059 (Command and Scripting Interpreter), and T1480 (Execution Guardrails) to inform detection rules.
• CISA Cross-Sector Cybersecurity Performance Goals (CPGs): emphasize account security, logging, remote access control, supply chain risk management, and incident response coordination.
• ISA/IEC 62443: Align with requirements for secure remote access (SR 1.5), user authentication (AC), and security monitoring (SM) in industrial environments.

Immediate priorities (0–30 days)

1. Credential hygiene and MFA. Rotate privileged credentials, enforce phishing-resistant multi-factor authentication (MFA) on all remote access pathways, and disable unused accounts.
2. Perimeter hardening. Patch VPN and remote management appliances, validate firmware integrity, disable legacy protocols, and restrict management interfaces to dedicated networks.
3. Logging and telemetry uplift. centralize logs from VPNs, firewalls, domain controllers, OT gateways, and telemetry for remote sessions; ensure storage for at least 400 days to support retrospective analysis.
4. Segmentation enforcement. Audit firewall rules between IT and OT, restrict remote access to jump hosts with monitored session recording, and deploy unidirectional gateways where feasible.
5. Threat hunting. Use the advisory’s indicator packages (hashes, commands, IP addresses) to scan for persistence; inspect scheduled tasks, services, and new administrative accounts across Windows and Linux estates.

Medium-term initiatives (30–120 days)

• Implement secure access service edge (SASE) or zero-trust network access (ZTNA) for vendor and remote engineer connections to OT environments.
• Deploy privileged access management (PAM) vaulting and session brokering for domain administrators and ICS engineers.
• Adopt behavioral analytics and EDR solutions tuned for LOTL tactics, including PowerShell transcription logging, AMSI integration, Sysmon deployment, and Linux auditd rules.
• Conduct compromise assessments using memory forensics (Velociraptor, KAPE, Volatility) and network flow analysis to detect dormant footholds.
• Build joint IT/OT incident response playbooks and rehearse them with executive leadership, legal, and communications teams.

Sector-specific playbooks

• Energy and utilities: Align with North American Electric Reliability Corporation (NERC) CIP standards; ensure remote substation access uses jump hosts with session monitoring; validate protective relays and SCADA servers for tampering.
• Water and wastewater: Inventory programmable logic controllers (PLCs) and human-machine interfaces (HMIs), enforce physical security, and deploy anomaly detection on Modbus and DNP3 traffic.
• Communications: Harden core routers, base station controllers, and network management systems; monitor for unauthorized firmware changes and SIM swapping attempts.
• Transportation: Secure airport operations networks, rail signaling, and maritime port management systems; ensure remote vendor access is time-bound and recorded.

Detection engineering checklist

• Enable PowerShell script block logging (4104), module logging (4103), and transcription; alert on encoded commands and suspicious modules.
• Monitor WMI event subscriptions, wmic process call create, and remote process creation via Sysmon Event ID 1.
• Detect anomalous use of netsh portproxy, sc.exe create, schtasks /create /tn, and wevtutil cl.
• Alert on LSASS memory access by non-approved processes; monitor creation of C:\Windows\Temp\*\ directories linked to credential dumping tools.
• Use DNS and proxy telemetry to flag dynamic DNS domains, unusual outbound traffic to VPS providers, and long-lived SSH tunnels.
• Deploy OT-specific intrusion detection (Dragos, Nozomi, Claroty) to monitor command changes, new ladder logic, or unauthorized engineering workstation connections.

Performance tracking

• Percentage of remote access pathways protected by phishing-resistant MFA and PAM session recording.
• Mean time to detect anomalous administrative activity (goal <24 hours) and mean time to contain confirmed intrusions.
• Coverage of logging (systems sending to SIEM/SOC) across IT and OT assets; percentage of logs retained for 12+ months.
• Number of high-risk findings from compromise assessments closed within agreed SLAs.
• Progress against CISA CPG setup roadmap, reported quarterly to executive leadership and regulators.

90-day action plan

1. Weeks 1–4: Execute emergency credential rotations, patch perimeter devices, and baseline telemetry; conduct joint executive briefings on the advisory’s implications.
2. Weeks 5–8: Roll out behavioral detections, implement PAM for domain admins, and complete compromise assessments across critical sites.
3. Weeks 9–12: finalize IT/OT playbooks, conduct red team/blue team exercises simulating LOTL intrusion, and present program metrics to Boards and sector regulators.

This brief supports critical infrastructure operators in defending against PRC LOTL campaigns—combining perimeter hardening, telemetry engineering, compromise assessments, and cross-sector governance so teams can detect and disrupt adversaries before they impact national resilience.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 90/100 · July 5, 2024

Cybersecurity Weekly — CVE-2024-6387

Weekly cyber briefings help security teams stay current on evolving threats. Key focus areas include ransomware trends, vulnerability disclosures, and nation-state activity. Maintaining situational awareness is an…

Cybersecurity · Credibility 90/100 · July 12, 2024

Cybersecurity Weekly — RegreSSHion

RegreSSHion remediation, Oregon's privacy law enforcement, and new PRC living-off-the-land advisories dominated this week. Here are the controls, incident playbooks, and board updates you need.

Cybersecurity · Credibility 90/100 · May 10, 2024

Cyber Threat — Black Basta Joint Advisory

Black Basta ransomware has hit over 500 organizations globally since 2022, with healthcare and critical infrastructure taking the worst of it. CISA, FBI, and HHS just released a joint advisory with TTPs and IOCs. They…

Cybersecurity · Credibility 90/100 · May 9, 2024

TSA Expands Aviation Cybersecurity Directives — May 9, 2024

TSA's aviation cybersecurity directives continue to evolve. Airlines, airports, and aviation service providers face mandatory incident reporting, cybersecurity assessments, and vulnerability management requirements. If…

Cybersecurity · Credibility 93/100 · April 30, 2024

White House Issues NSM-22 on Critical Infrastructure Security — April 30, 2024

National Security Memorandum-22 replaces PPD-21 and modernizes U.S. critical infrastructure risk management, information sharing, and regulatory coordination.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Complete Beginner Cybersecurity Guide for Home Users

  A practical cybersecurity guide designed for non-technical home users. Covers threat awareness, home network security, password management, multi-factor authentication, device…

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

Further reading

1. CISA news release: Joint guidance on PRC state-sponsored actors living off the land (July 2, 2024) — www.cisa.gov
2. Joint Cybersecurity Advisory AA24-184A: People’s Republic of China State-Sponsored Cyber Actor Living Off the Land to Evade Detection (July 2, 2024) — www.cisa.gov
3. Canadian Center for Cyber Security: Chinese state-sponsored cyber threat activity targeting critical infrastructure (July 2, 2024) — www.cyber.gc.ca