Background
On May 24, 2023, Microsoft of the United States and the “Five Eyes Alliance” cybersecurity information sharing organization held a joint cybersecurity advisory, which detailed a series of activities related to the state-sponsored actor based in People’s Republic of China (PRC) known as Volt Typhoon. According to the blog post published by Microsoft, these activities include attacks that have been happening since mid-2021 against key infrastructure sectors in Guam and the United States. These activities targeted the communication, manufacturing, utilities, transportation, construction, maritime, government, IT, and education sectors. As there is no evidence to suggest that any destructive attacks have been launched, it is speculated that the main objective of this hacker organization is to gather intelligence and establish a presence under the radar. This would enable them to compromise or disrupt key communication infrastructure between the United States and the Asian region in the event of a future crisis, which is of particular concern in the industry. The Volt Typhoon incident has reminded us of the following three significant risks:
Emerging Threats
According to a joint Cybersecurity Advisory report published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and international cybersecurity authorities, one of the main Tactics, Techniques, and Procedures (TTPs) of Volt Typhoon is to utilize existing cyber management tools to achieve its objectives. This TTP allows attackers to evade detection by blending in with normal Windows system and network activities, avoid alerts introduced by third-party applications to hosts by Endpoint Detection and Response (EDR) products, and limit the amount of activity captured in default log configurations. For instance, some of the built-in tools used by the attackers include wmic, ntdsutil, netsh, and PowerShell. This potentially allows them to mask many behavioral indicators as legitimate system management commands, thereby increasing the difficulty for IT EDR detection.
Geopolitical Tensions
Amid international competition for resources and tense geopolitical relationships, such as the Russo-Ukrainian conflict and friction in the Taiwan Strait, national-level hackers and politically motivated organizations have started to launch intense attacks. We reported on this trend in our 2022 cybersecurity annual report. In the Russo-Ukrainian conflict, we witnessed direct machine-destroying attacks, also known as Wiper attacks. Today, we even see national-level threat actors employing living-off-the-land attack techniques. Industries related to critical infrastructure, including key manufacturing sectors, must heighten their vigilance. The geopolitical conflict can lead to attacks that impact seemingly unrelated nations, causing collateral damage. For instance, we saw Wiper malware spread to 26 countries during the Russo-Ukrainian conflict.
Collateral Damage
The particularity of the Volt Typhoon operation lies in the possibility that their covert objective may be to gain the capability to disrupt critical communication infrastructure between the United States and Asian. From an attack perspective, most Operational Technology (OT) attacks stem from Information Technology (IT) incidents, which we refer to as collateral damage. According to our 2022 cybersecurity annual report, 94% of IT security incidents have also impacted the OT environment as IT and OT become more integrated. 70% of organizations had their data or operations held hostage by malicious actors, demonstrating that cybersecurity incidents can lead to operational disruptions and data hijacking, ultimately resulting in financial losses.
What is particularly dangerous about the Volt Typhoon operation, based on current intelligence and information, is their ability to maintain various access rights to key US infrastructure without being detected by defensive mechanisms. Threat actors heavily rely on living-off-the-land techniques, as well as a hands-on-keyboard attack mode where commands are input directly, to evade antivirus software detection while achieving their objectives more accurately. We provide an analysis of Volt Typhoon’s attack techniques, potential impacts, and mitigation methods, hoping it assists operators of critical infrastructure in taking early countermeasures.
Technical Analysis
The official report has thoroughly discussed the use of relevant tools and specific details. Therefore, in this blog, we will focus more on the process and its unique characteristics. Broadly, we can break down Volt Typhoon’s operation into several main steps:
Step 1: Resource Development
The operation originated from the attackers targeting home routers (SOHO devices) such as ASUS, CISCO, D-Link, NETGEAR, and Zyxel and using them as malicious command and control (C&C) stations to launch attacks on the targets.
Step 2: Initial access
The attackers exploit zero-day vulnerabilities in Fortinet FortiGuard devices, and gain access to a device that allows them to connect directly to the internal network of critical infrastructure.
Step 3: Privilege Escalation
In this compromised device, the attackers find AD credentials with high privileges, which can easily access the Domain Controller or use other Domain-related services, allowing them to quickly obtain high-level clearance privileges and begin performing persistence attacks.
Notably, users of critical infrastructure are reminded to access and authorize the use of various devices and services with appropriate permissions. We have noticed that some manufacturers, for the sake of convenience, recommend users to run services or link authorizations with administrative privileges, a practice that could pose potential security risks.
Step 4: Discovery
Attackers seek to discover system information, including file system types, drive names, sizes, available space, running processes, and open networks. They even utilize commands from PowerShell, WMIC, and pinging to detect other systems on the compromised network.
Step 5: Collection and Defense Evasion
After attackers enter the internal network, their goal is not to disrupt its operations, but to hide in the environment as much as possible, steal relevant information and wait for opportunities. Therefore, attackers use various living-off -the-land techniques and hands-on keyboard activity to avoid possible detection, remove various footprints and cover their network traces through proxies. They then continue to explore various existing services, access various files, and obtain more credentials. We show here a flow chart that simulates a possible Volt Typhoon attack.
Figure 1. Flow chart of Volt Typhoon Simulated Attack
We have mapped the currently displayed information to the MITRE ATT&CK for Enterprise, as shown in Figure 2. The corresponding results might slightly differ from the official announcement, as the techniques employed may be associated with it based on our threat research analysis and judgement.
Figure 2. Volt Typhoon Corresponds to MITRE ID
Implications of Volt Typhoon for Defense in Critical Infrastructure
The essence of current OT/ICS cybersecurity is inherently weak, due to both external and internal challenges. External challenges arise from threats to supply chain assets; internal challenges come from IT and internal personnel. For instance, many teams still rely on IT cybersecurity solutions to address OT/ICS cybersecurity issues. However, if IT protection fails (for example, IT EDR), OT/ICS is highly likely to be affected. Historical experience informs us that once OT/ICS is attacked, it requires a longer recovery time and incurs greater economic losses. Furthermore, we are dealing with a shortage of OT/ICS cybersecurity professionals. According to the (ISC)² 2022 Cybersecurity Workforce Study, the world faces a cybersecurity workforce gap of 3.4 million people. In the IT field, talent shortage is already a prominent issue; this is an issue even more so in the OT/ICS field. Thus, we need to consider the objectives and environmental limitations of the OT/ICS environment and propose effective ways to improve it, rather than just investing blindly.
The OT Environment Needs a New Operation Focused Defense Mindset
The availability, stability, and security of operations in critical infrastructure are vital for business continuity. Organizations need to consider how to reduce the risk of interruptions due to system failures, unauthorized changes, or security incidents, ensuring consistent delivery of products and services to customers.
As we know, the objective of OT teams is to maintain the stability of devices and systems to maximize operational availability. Therefore, while security is important to all departments, any impact of mitigation controls must be adjusted in support of the devices, rather than degrading their performance. For example, if someone tries to change a device configuration, the operational priority is to prevent this change to maintain stability. This operational approach focuses primarily on detecting changes, especially unexpected ones.
To detect these changes, the first step is to understand the expected configuration and behavior status of each device. It needs to be uniquely identified or fingerprinted. Because each device is slightly different, it’s best to perform this operation at the individual agent level. Then, by continuously analyzing relevant telemetry data about the device, any changes that occur will be detected as deviations from the established fingerprint, prompting a response.
Why IT EDR Approaches are not Suitable for OT Environments
The defense method of IT EDR is based on the real-time identification of threat patterns. Rapid detection and response to a combination of behaviors indicating a threat can maintain the confidentiality and integrity of organizational data. This threat detection in IT EDR starts by analyzing a large amount of telemetry data collected from multiple endpoints and studying the correlation of endpoint behavior with Tactics, Techniques, and Procedures (TTPs) and Indicators of Attack (IOAs). However, the Volt Typhoon case tells us that modern threat actors can evade detection, blend in with normal Windows system and cybersecurity activities, avoid alerts from EDR products to third-party applications introduced on the host, and limit the volume of activities captured in the default log configuration. Furthermore, IT EDR can’t monitor threat behaviors it doesn’t understand, and even some command lines may be falsely flagged as benign activities and overlooked by security personnel. Therefore, when the cybersecurity defense framework overly relies on an IT EDR product as its defensive foundation, there is still a risk of a breach in the cybersecurity defenses, thereby affecting business continuity.
Moreover, threat mitigation techniques based on IT EDR often introduce a greater risk of interruption by affecting the operation itself. For instance, when IT EDR detects a certain threat, the primary task is to limit the propagation of any attack and break the attack chain. The threat response action to achieve this goal is to isolate the infected endpoint and terminate all functionalities and processes related to the attack. Therefore, maintaining a security posture to support security objectives might even come at the cost of sacrificing the availability of individual endpoints.
In summary, to counter threats like Volt Typhoon, organizations should consider adopting an Operation Focused approach. This involves suppressing unexpected behavioral changes in the device to eliminate their potential to introduce instability. Subsequently, generating highly actionable alerts allows the security team to perform incident response when threats are present and enables the operations team to investigate potential process issues or changes. The advantage of this method lies in the speed of its response, as detection occurs at the individual agent level. It eliminates the need to wait for cloud-managed analytics to determine whether something is a specific threat pattern. Instead, any changes are detected and responded to, whether they are threats, unintentional configuration changes, or anything else, all without having operations grind to a halt while analysis is conducted to determine if a threat has or has not occurred.
TXOne CPSDR – The Last Line of Defense for Level 0 to Level 3
What is CPSDR
Implementing the Operation Focused approach requires a new architecture that addresses both security and operational threats – we refer to this as “Cyber-Physical Systems Detection and Response”, CPSDR for short. CPSDR uniquely identifies each device and monitors changes in its normal operation, detecting unexpected alterations and abnormal behavior in real-time through deviation and behavioral analysis. Then, these changes are suppressed before they can have any impact. Simultaneously, it introduces the validated cyber threat detection and response concept from EDR into operational threat protection, supporting common goals. With this new dual perspective and focus, security teams can mitigate the risks of cybersecurity attacks, while OT teams can lock down configurations, allowing each team to fulfill its tasks without endangering operational continuity. In other words, even if an attacker manages to bypass IT security defenses undetected, it won’t remain undetected in the OT/ICS environment. This is because any final changes the attack attempts to make to the device’s fingerprint (in order to camouflage it as benign) will in and of itself be detected and thus thwarted.
The Last Line of Defense for Level 0 to Level 3
We position CPSDR as the last line of defense for enterprises. For instance, using the Purdue reference model, level 4 and 5 IT cyberattacks target user credentials to enable further malicious activities by the attacker. As a result, many OT/ICS attacks are impacted by level 4 malware and ransomware, leading to data loss or hijacking. To create more significant disruption at the OT/ICS side, attackers exploit vulnerabilities for large-scale propagation within the environment. In some cases, cyber-espionage activities go deeper, attacking PLC/DCS to shut down production lines and introduce safety hazards.
From a threat detection perspective, levels 4 and 5 are relatively easier to detect and intercept. The answer is simple. There are numerous IT security solutions across email, endpoints, networks, and even the cloud, but they also bring alert fatigue to the security teams, increasing the intensity of security management, and giving attackers a chance to evade IT security solutions’ detection and infiltrate level 3. Once an attacker crosses into level 3, threat detection becomes increasingly difficult because it could be a meticulously planned targeted attack. Therefore, OT-side threat detection and response must consider alert fatigue without increasing workload, and utilize unique operational behavior as the primary detection indicator for threat hunting.
Applicable Solution from TXOne Stellar
TXOne Networks is pioneering a new paradigm in the protection domain through TXOne Stellar. Specifically engineered for OT/ICS environments, Stellar works by safeguarding the operational stability of OT/ICS devices and physical systems, detecting, and responding to cyber threats, all the while aligning with the objectives of both business and security teams. Given TXOne Network’s profound understanding of the OT/ICS industry, the industry can move away from the belief that “IT solutions are the only option”. Stellar not only accelerates your OT resilience but also boosts the confidence of your operational teams. It allows security teams to implement security controls without hampering availability, as they too are equally vested in their objectives.
Applicable Solution from TXOne Edge Network Defense
In addition to endpoint protection, TXOne Networks supports the principle of least privilege through Edge network defense solution, which allows businesses to minimize the OT/ICS attack surface, curtail OT/ICS cyberattacks, boost operational performance, and reduce the impact of human error. The implementation of fine-grained access control at various levels helps businesses to maintain a balance between availability and security, while protecting critical systems. Moreover, by using the Edge series network-based virtual patch technology, a protective shield can be constructed around legacy OS or unpatched assets that deters attackers from exploiting a network vulnerability to gain system access. Several rules that can detect multiple CVEs (Common Vulnerabilities and Exposures) are provided to enhance this approach:
- Exploit Public-Facing Application(T1190)
– 1139737 WEB Zoho ManageEngine ADSelfService Plus Authentication Bypass -1 (CVE-2021-40539)
– 1232874 WEB FatPipe Networks WARP/IPVPN/MPVPN Arbitrary File Upload (CVE-2021-27860)
- Top CVEs Actively Exploited by People’s Republic of China State-Sponsored Cyber Actors
– 1135945 WEB Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN – Arbitrary File Disclosure (CVE-2019-11510)
– 1136561 EXPLOIT Citrix Application Delivery Controller Remote Code Execution -1.1 (CVE-2019-19781
– 1232257 WEB F5 BIG-IP TMUI Directory Traversal and File Upload RCE -4 (CVE-2020-5902)
– 1139324 WEB Cisco HyperFlex HX Auth Handling Remote Command Execution (CVE-2021-1497)
– 1139528 WEB Buffalo Wifi Router Path Traversal -1.1 (CVE-2021-20090)
– 1139779 WEB VMware vCenter Server AsyncTelemetryController Arbitrary File Write -1 (CVE-2021-22005)
– 1139640 WEB Confluence Server Webwork OGNL injection -1 (CVE-2021-26084)
– 1138767 WEB Microsoft Exchange Server Remote Code Execution Vulnerability -1 (CVE-2021-26855)
– 1139043 WEB Microsoft Exchange CVE-2021-26858 Arbitrary File Write -1
– 1138931 WEB Microsoft Exchange CVE-2021-27065 Arbitrary File Write -1
– 1139937 WEB Hikvision Product Web Server Command Injection -1.1 (CVE-2021-36260)
– 1139826 WEB Apache HTTP Server Path traversal (CVE-2021-41773)
– 1230159 WEB Sitecore Experience Platform (XP) PreAuth Deserialization RCE (CVE-2021-42237)
– 1230268 WEB Apache log4j Remote Code Execution -1.u (CVE-2021-44228)
– 1231035 WEB F5 BIG-IP REST Unauthenticated SSRF Token Generation RCE -1 (CVE-2022-1388)
– 1230924 WEB Apache APISIX batch-requests Plugin IP Restriction Bypass (CVE-2022-24112)
– 1231199 WEB Atlassian Confluence Server and Data Center xwork OGNL Injection -1 (CVE-2022-26134)
- Command and Control: Proxy(T1090)
– 1232879 MALWARE-FILE-TRANSFER HackTool.Win32.EarthWrom
– 1232880 MALWARE-FILE-TRANSFER HackTool.Win64.RemCom
– 1232881 MALWARE-FILE-TRANSFER HackTool.Win32.Meterpreter.A -1
– 1232882 MALWARE-FILE-TRANSFER HackTool.Win64.FRP.YXDEY -1
– 1232884 MALWARE-FILE-TRANSFER HackTool.Win64.FRP.YXDEY -2
– 1232885 MALWARE-FILE-TRANSFER HackTool.Win64.FRP.YXDEY -3
Conclusion
As geopolitical tensions rise, this could lead to state-sponsored hackers and politically motivated organizations launching intense attacks. We’ve seen that the threat tactics employed by state-sponsored attacks like Volt Typhoon have proven effective – when attackers can evade detection, blend with normal Windows systems and cybersecurity activities, avoid alerts from EDR products on third-party applications introduced on hosts, and even limit the amount of activity captured in default log configurations, it exponentially increases the difficulty of IT EDR defense. We believe one of the key tasks for critical infrastructure is to ensure business continuity. However, when an organization faces a breakdown in its IT defense architecture, and once attackers cross into level 3 of the Purdue Model, threat detection becomes increasingly difficult. This is because it may be a carefully planned targeted attack, causing serious impact on OT operations.
At this point, organizations need to rethink what constitutes their last line of defense. TXOne Networks believes that the OT/ICS environment in industries needs an Operation Focused defense approach to maximize operational availability. This involves suppressing unexpected changes by leveraging the unique characteristics of devices and comprehensive security policies to eliminate the risks they introduce. Subsequently, highly actionable alerts are generated, allowing the security team to respond to threats when they arise, and enabling the operations team to investigate potential process issues or changes, rather than sacrificing the availability of individual endpoints.
TXOne Networks presents the Cyber-Physical Systems Detection and Response (CPSDR) framework. This ensures that even if an attacker manages to breach IT security defenses undetected, they would be promptly discovered within the OT/ICS environment. This is because any final alterations made to device fingerprints during an attack will still be detected and stopped. Our mission is to maintain industrial availability, stability, and safety for critical infrastructures and the manufacturing industry, thereby overcoming cybersecurity challenges and ensuring continuous operations.
If you’re seeking a solution centered around a Zero Trust approach for OT, one that protects your assets while maintaining operational continuity, then we are here to help. Feel free to reach out to our team for more information.