NERC CIP Bootcamp Giveaway – Enter to Win!
Support

SOLUTIONS

OT Asset Management
Configuration & Change Management
Policy Compliance
Vulnerability Management

PLATFORM

Industrial Defender Platform
Phoenix for SMBs
Services
Partners

INDUSTRIES

Power
Oil & Gas
Water
Manufacturing
US Government
See all

RESOURCES

Blog
Podcast
Resource Library
OT Cybersecurity Risk Assessment Calculator
Innovations by Industrial Defender
FAQ

COMPANY

About Us
How We Compare
Team
Events
Press
Careers
Contact Us

SUPPORT

REQUEST DEMO

No items found.

Tracking Volt Typhoon, State-Sponsored Threat Activity Against Critical Infrastructure

Industrial Defender Staff
February 19, 2024

In response to the latest reports around Volt Typhoon, we are sharing guidance on leveraging OT asset management capabilities as part of your overall defense strategy.

Volt Typhoon is reported to be a People’s Republic of China (PRC) state-sponsored cyber actor, known to target critical infrastructure. Active since mid-2021, Volt Typhoon raised alerts last year when Microsoft disclosed observed activities, followed by a report from CISA. CISA issued another alert about Volt Typhoon on February 7, confirming observed compromises of IT environments are multiple critical infrastructure organizations.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.”
- CISA Cybersecurity Advisory "PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure"

Responding to Volt Typhoon

Volt Typhoon is known to primarily use living off the land (LOTL techniques). They are also known for using valid accounts and remaining undiscovered for the long-term.  

While Industrial Defender's core functions serve asset management, system hardening, and compliance programs, our platform can support and be used in tandem with other tools addressing other parts of the attack lifecycle. We strongly recommend that you refer to CISA’s guidance for a thorough framework on addressing this threat:

For leveraging Industrial Defender to support these efforts, we recommend that you:

  • Use Industrial Defender to monitor credential modifications, as a potential indicator of persistence.
  • Use Industrial Defender to monitor changes to firewall configurations.
  • Use Industrial Defender to monitor new network connections, for both access and exfiltration.
  • Activate IDS features on your IDCs and consider custom rules.
  • Ensure Industrial Defender agents are monitoring relevant directories.  
  • Inspect for cleared audit logs.
  • Investigate Windows Firewall rule modifications/unauthorized exceptions for security breaches.

You can track the latest on this threat and others at https://www.cisa.gov/.

Stay up to date.

Sign up for our newsletter to receive the latest
Industrial Defender news, updates and content.

SOC 2® Type II Certified
PRODUCTS
Industrial Defender PlatformImmunity by IDBuilding DefenderRTAP
SERVICES
Cyber Diligence ServiceCopilOT ServiceTMCommissioningSupportTrainingSustain
SOLUTION BY TYPE
OT Asset ManagementVulnerability ManagementSecurity Event MonitoringCompliance Reporting
SOLUTION BY FUNCTION
SecurityComplianceOperationsExecutive
SOLUTION BY INDUSTRY
Building AutomationChemicalElectricFederal GovernmentFood & AgricultureMaritimeMetals & MiningOil & GasPharmaceuticalsRailWater
RESOURCES
Resource CollectionDefenderSphereIT-OT Integration LabOT Cybersecurity Risk CalculatorInnovations by ID
COMPANY
About UsHow We CompareTeamEventsPressCareersContact Us