CISA, calling Volt Typhoon an urgent threat, updates DDoS response guide

U.S. and international agencies are advising all critical-sector IT leaders to bolster against vendor risks and defend against live-off-the-land techniques stemming from PRC state-sponsored cyber activity.
By Andrea Fox
10:43 AM

Photo: diego_cervo/Getty Images

Guidance released this week from the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation and other U.S. and international partners outlines best practices for defending against "living off the land" cyber activity – where threat actors use an organization's own tools to attack its network – while addressing the specific needs and challenges of defending against distributed denial of service attacks with new mitigations and visual aids.

WHY IT MATTERS

With contributions from Cisco Talos, NTT Corporation and Sophos, the agencies issued a joint fact sheet warning critical infrastructure entities to take the threat of attacks by Chinese state-sponsored actors "seriously."

The new guidance follows a Feb. 7 cybersecurity advisory that warned, that due to increased geopolitical tensions, Volt Typhoon has deployed LOTL incursion into critical infrastructure networks to disrupt or destroy critical services.

It highlights actions for leaders to take to make informed and proactive resourcing decisions based on the threat.

"Key best practices for your cybersecurity teams includes ensuring logging, including for access and security, is turned on for applications and systems and logs are stored in a central system," CISA said, encouraging organizational leaders to ask IT teams to locate and review logs for known commands used by Volt Typhoon's threat actors.

The Volt Typhoon commands and PowerShell scripts observed by the U.S. authoring agencies during incident response activities can be found in Appendix A of last month's cybersecurity advisory.

"CISA and partners are releasing this fact sheet to provide leaders of critical infrastructure entities with guidance to help prioritize the protection of critical infrastructure and functions," the agency said in the new guidance.

"The authoring agencies urge leaders to recognize cyber risk as a core business risk. This recognition is both necessary for good governance and fundamental to national security."

In addition, the Multi-State Information Sharing and Analysis Center updated the joint for DDoS defense guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, with new technical information on attack vectors, nine visual aids and added mitigations for defending against DDoS techniques.

THE LARGER TREND

In January, CISA Director Jen Easterly testified before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party on pre-positioning by the PRC to disrupt critical infrastructure in the United States, including telecommunications.

"Chinese cyber actors, including a group known as Volt Typhoon, are burrowing deep into our critical infrastructure to be ready to launch destructive cyberattacks in the event of a major crisis or conflict with the United States," she said in her opening statement.

In October, CISA issued a warning that CVE-2023-44487 affecting HTTP/2 – a DDoS exploit also known as Rapid Reset – could compromise critical infrastructure, while the Health Information Sharing and Analysis Center alerted its members about the potential for that LOTL threat.

While malware may be a more prominent threat to healthcare organizations, a spate of coordinated KillNet DDoS attacks on hospital websites at the turn of 2023 caught the attention of Fitch Ratings, which warned that cyberattacks that compromise service could ultimately affect a hospital’s financial profile.

ON THE RECORD

"The U.S. authoring agencies assess that the PRC-sponsored advanced persistent threat group known as Volt Typhoon are seeking to pre-position themselves – using [LOTL] techniques – on IT networks for disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States," the agencies said in a statement Tuesday.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.