At a glance.
- Five Eyes publish report on Volt Typhoon.
- Volt Typhoon targets emergency management services in the US.
- NIST releases Cybersecurity Framework 2.0.
- Biden administration issues executive order on maritime cybersecurity.
- Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities.
- ThyssenKrupp sustains ransomware attack.
- Siemens and Schneider Electric issue patches.
Five Eyes publish report on Volt Typhoon.
The US government and its Five Eyes partners continue their efforts to publicize the activities of the alleged Chinese state-sponsored threat actor Volt Typhoon. Earlier this month the US Cybersecurity and Infrastructure Security Agency (CISA), NSA, FBI, and the cybersecurity directorates of Australia, Canada, New Zealand, and the UK published a joint advisory outlining the threat actor’s operations against US critical infrastructure.
The advisory states, "The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam.”
The agencies observe, “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts." The US agencies note that the threat actor has been "maintaining access and footholds within some victim IT environments for at least five years.”
The advisory adds, "[The Canadian Centre for Cyber Security (CCCS)] assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors."
At the Munich Security Conference over the weekend, FBI director Christopher Wray called out Volt Typhoon’s targeting of US critical infrastructure, saying such activity from China is the “tip of the iceberg.” According to the Wall Street Journal, Wray said China is increasingly inserting “offensive weapons within our critical infrastructure poised to attack whenever Beijing decides the time is right.”
Volt Typhoon targets emergency management services in the US.
Dragos has published its own report on Volt Typhoon (tracked by Dragos as “VOLTIZE”), noting that the threat actor has been targeting multiple US electric companies since early 2023. The group has also focused on emergency management services, telecommunications, satellite services, and the defense industrial base, as well as electric transmission and distribution entities in African countries. As recently as January 2024, the threat actor compromised “a large US city’s emergency services GIS network.”
Dragos CEO Robert M. Lee affirmed in a media briefing that VOLTIZE is intentionally targeting critical infrastructure. “It’s hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the U.S. electric infrastructure,” Lee said.
The report explains, “VOLTIZE compromises external network perimeter applications and assets such as SOHO routers and virtual private network gateways to gain access to targeted organization’s networks. Once within the victim’s network, they leverage [living off the land] techniques and stolen credentials to move through the network.”
The products targeted by Volt Typhoon include Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA.
NIST releases Cybersecurity Framework 2.0.
The National Institute of Standards and Technology (NIST) last week released version 2.0 of its Cybersecurity Framework (CSF). The updated version "has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others such as finance and reputation."
Katherine Ledesma, Head of Public Policy & Government Affairs at Dragos, commented, “Although the CSF 2.0 identified that functions, categories, and subcategories are intended to be broad enough to apply to both information technology (IT) and operational technology (OT) environments, as the dialogue around the CSF and related guidance continues, we will see specific attention paid to the distinct approaches needed to protect ICS/OT, given the unique purposes of and risks to those types of systems. This includes continuing to update documents such as the Guide to Operational Technology (OT) Security, and also incorporation of these concepts into broader planning and guidance documents.”
Biden administration issues executive order on maritime cybersecurity.
President Biden last month signed an executive order designed to increase the Department of Homeland Security’s authority to address maritime cyber threats.
Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, said in a press briefing on February 20th, “[T]his executive order will give the Coast Guard the authority to respond to malicious cyber activity by requiring maritime transportation vessels and facilities to shore up their cybersecurity and institute mandatory reporting of cyber incidents. The Coast Guard will also issue a notice of proposed rulemaking to establish minimum cybersecurity requirements that meet international and industry-recognized standards to best manage cyber threats.”
The administration will also invest $20 billion into US port infrastructure over the next five years, much of which will go toward replacing Chinese-made cranes. Neuberger stated, “As part of that, PACECO Corporation, a U.S.-based subsidiary of Mitsui E&S, is planning to onshore domestic manufacturing capacity for American and Korean production for the first time in 30 years, pending final site and partner selection.”
CNBC quotes a senior administration official as saying approximately eighty percent of the cranes used at US ports were manufactured in China and run Chinese software, potentially opening them to surveillance or attacks.
Suspected Chinese threat actor continues to exploit Ivanti vulnerabilities.
Mandiant says the China-aligned threat actor UNC5325 continues to target vulnerabilities affecting Ivanti VPN appliances. The researchers state, “UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK.”
The researchers believe UNC5325 is connected to UNC3886, another suspected Chinese cyberespionage actor that focuses on technology and telecommunication organizations and the defense industrial base in the US, Asia Pacific, and Japan.
ThyssenKrupp sustains ransomware attack.
German steel production conglomerate ThyssenKrupp has confirmed that its automotive division sustained a ransomware attack in February, SecurityWeek reports. A Thyssenkrupp spokesperson said the attack failed, but the company disconnected systems as a precautionary measure. The incident caused production to shut down at the company's Saarland-based plant.
ThyssenKrupp said in a statement, "Our ThyssenKrupp Automotive Body Solutions business unit recorded unauthorized access to its IT infrastructure last week. The IT security team at Automotive Body Solutions recognized the incident at an early stage and has since worked with the ThyssenKrupp Group's IT security team to contain the threat. To this end, various security measures were taken and certain applications and systems were temporarily taken offline."
Siemens and Schneider Electric issue patches.
Siemens has published fifteen advisories addressing 270 vulnerabilities affecting the company’s products, SecurityWeek reports. Many of the flaws affected Scalance XCM-/XRM-300 switches and the Sinec industrial network management solution. Most of the vulnerabilities have been assigned severity ratings of “critical” or “high.”
Schneider Electric also released three advisories outlining five vulnerabilities affecting the company’s Modicon Controllers, EcoStruxure products, and Harmony Relay NFC.