Protecting Against Advanced Persistent Threats and Destructive Cyber Attacks
As a seasoned IT professional, I’ve witnessed firsthand the growing threat of malware targeting critical infrastructure, particularly in the energy sector. The energy industry, with its vast network of interconnected systems and operational technology (OT), has become a prime target for sophisticated state-sponsored cyber actors and financially motivated criminal groups.
In this in-depth article, we’ll explore the alarming trends in malware targeting the energy sector, dive into the tactics and techniques employed by these advanced threat actors, and provide practical guidance on how to fortify your organization’s cybersecurity defenses.
Understanding the Cyber Threat Landscape
The energy sector is a prime target for state-sponsored cyber actors, as disrupting power generation, transmission, or distribution can have far-reaching consequences. According to the recent National Cybersecurity Strategy, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) have assessed that the People’s Republic of China (PRC) state-sponsored cyber actors, specifically the group known as Volt Typhoon, are actively seeking to pre-position themselves on IT networks for potential disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict.
Volt Typhoon’s targeting and behavior patterns indicate that their objective is not traditional cyber espionage or intelligence gathering, but rather pre-positioning themselves to enable the disruption of OT functions across multiple critical infrastructure sectors, including Energy, Communications, Transportation Systems, and Water and Wastewater Systems.
In addition to state-sponsored threats, the energy sector also faces the growing risk of attacks from Russian-aligned cybercrime groups. According to a recent CISA cybersecurity advisory, these groups have publicly pledged support for the Russian government and threatened to conduct cyber operations in retaliation for perceived cyber offensives against Russia or in response to the provision of material support to Ukraine.
The severity of the threat cannot be overstated. As the FBI Director stated, the Chinese government poses a “broad and unrelenting threat” to U.S. critical infrastructure, including the energy sector. Cybercriminals aligned with Russia have also demonstrated their willingness to deploy destructive malware, such as the NotPetya and BlackEnergy attacks, which have caused widespread disruption to critical infrastructure organizations.
Volt Typhoon’s Tactics, Techniques, and Procedures
Volt Typhoon, the PRC state-sponsored cyber actor group, has employed a range of sophisticated tactics to infiltrate and maintain long-term, stealthy access within target networks. Their modus operandi is not consistent with traditional cyber espionage or intelligence gathering, but rather indicates a focus on pre-positioning themselves to enable the disruption of OT functions.
One of Volt Typhoon’s hallmarks is their extensive use of “living off the land” (LOTL) techniques, leveraging legitimate tools and processes already present on compromised systems to blend in with normal network activity and evade detection. They avoid using malware artifacts that could trigger security alerts, opting instead for hands-on-keyboard activity via the command-line and other native tools.
Volt Typhoon actors also excel at maintaining persistent access, often extracting domain credentials multiple times over extended periods to ensure they retain a foothold within the victim’s network. They have been observed dumping credentials from domain controllers, including the critical Active Directory database (NTDS.dit), which can lead to full domain compromise if the hashes are cracked.
Once they have established a presence, Volt Typhoon actors focus on collecting sensitive information related to OT equipment, such as diagrams and documentation for SCADA systems, relays, and switchgear. This data is crucial for understanding and potentially disrupting critical infrastructure operations.
To facilitate their command and control (C2) activities, Volt Typhoon actors have been known to leverage compromised SOHO routers and virtual private servers (VPS) as proxy infrastructure, as well as implanting Fast Reverse Proxy (FRP) clients on victim systems to establish covert communication channels.
Protecting Against the Malware Threat
Defending against sophisticated, state-sponsored malware threats like Volt Typhoon and the ever-evolving tactics of Russian-aligned cybercrime groups requires a multilayered, proactive approach to cybersecurity. Here are some key recommendations for securing your critical energy infrastructure:
Implement Robust Patch Management
Ensure that all systems, including both IT and OT networks, are kept up-to-date with the latest security patches. Prioritize patching known exploited vulnerabilities, as these are often the initial attack vectors used by threat actors.
Enforce Multifactor Authentication (MFA)
Require MFA for all remote access, privileged accounts, and critical systems. This serves as a crucial safeguard against credential-based attacks, such as those employed by Volt Typhoon.
Secure and Monitor Remote Access
Closely monitor and restrict remote desktop protocol (RDP) and other potentially risky remote access services. Implement robust logging and monitoring to detect any unauthorized or suspicious activity.
Provide Comprehensive User Awareness Training
Educate your workforce on common social engineering tactics, such as phishing, to mitigate the risk of initial compromise. Encourage employees to report any suspicious activity or potential indicators of compromise.
Implement Network Segmentation
Segment your network based on role and function to limit the spread of malware and restrict lateral movement. This can help contain the impact of a successful intrusion and prevent threat actors from accessing critical OT systems.
Enhance Logging and Monitoring
Closely review application, security, and system event logs, focusing on indicators that may suggest credential theft or lateral movement, such as Windows Extensible Storage Engine Technology (ESENT) Application Log events. Consider leveraging advanced network monitoring tools, such as the Zeek-based gait extension, to enhance your visibility into proxy and anomalous network activities.
Prepare for Incident Response
Develop and regularly test your incident response plan to ensure your organization is ready to detect, respond to, and recover from a potential compromise. Collaborate with relevant government agencies and industry partners to stay informed on the latest threat intelligence and mitigation strategies.
Implement Secure-by-Design Principles
Encourage software vendors to incorporate secure-by-design and secure-by-default practices into their products, strengthening the overall security posture for their customers. This can help mitigate the risks posed by common Volt Typhoon techniques, such as the exploitation of vulnerabilities in networking appliances.
By implementing these proactive measures, energy sector organizations can significantly enhance their resilience against the persistent and evolving malware threat landscape. Collaboration with government agencies, industry partners, and software vendors is crucial to stay ahead of these advanced adversaries and safeguard our critical energy infrastructure.
Remember, the stakes are high, and the threat is not going away. Remain vigilant, stay informed, and take decisive action to fortify your cybersecurity defenses. The IT Fix team is committed to providing our readers with the latest insights and practical guidance to help you navigate the complex world of technology and infrastructure protection.
Visit ITFix.org.uk for more expert articles, IT solutions, and computer repair tips to keep your systems and operations secure and resilient.