Volt Typhoon State-Sponsored Threat Actors Targeting Critical Infrastructure

Health-ISAC is disseminating this alert out of an abundance of caution influenced by risks and associated security implications stemming from the posturing of targeted cyber attacks against critical infrastructure. Attacks on water and wastewater systems have the potential to disrupt clean and safe drinking water, imposing significant costs on healthcare providers.

Specifically, state-sponsored threat actor activity associated with the People’s Republic of China (PRC) has been observed in cyberattacks against water systems. Threat actors are increasingly targeting critical infrastructure, seeking to disrupt essential services to inflict cascading impacts. Specific guidance for securing water and wastewater systems is available for critical infrastructure defenders around the globe.

On March 19, 2024, the Environmental Protection Agency (EPA) shared a letter discussing the urgent need to safeguard critical infrastructure against cyber threats. Specifically, the EPA emphasized drinking water and wastewater systems are critical resources, but many systems have not adopted important cybersecurity practices to thwart potential cyberattacks.

On February 7, 2024, Health-ISAC shared an alert titled People’s Republic of China (PRC) State-Sponsored Actors Compromise and Maintain Access to Critical Infrastructure, which focuses explicitly on attacks from Volt Typhoon. The alert includes a link to guidance for identifying and mitigating living off-the-land techniques commonly used by Volt Typhoon. Critical infrastructure organizations around the globe are encouraged to consider this guidance while securing healthcare sector infrastructure from attacks.

Recommendations

Critical infrastructure defenders are encouraged to ensure the following mitigation measures are implemented:

• – Implement multifactor authentication for access to the operational technology (OT) network whenever applicable.
• – If you require remote access, implement a firewall and/or virtual private network (VPN) to control network access. A VPN or gateway device can enable multifactor authentication for remote access even if the system does not support multifactor authentication.
• – Create strong backups of the logic and configurations of systems to enable fast recovery. Familiarize yourself with factory resets and backup deployment as preparation in the event of ransomware activity.
• – Keep systems updated with the latest versions by the manufacturer.
• – Confirm third-party vendors are applying applicable countermeasures to mitigate exposure of systems and all installed equipment.

Please also review the full PDF above for additional resources.