A New Wave of Cyber Attacks: Five Actions to Take Now

Cyber threat actors in China, such as “Volt Typhoon,” are more technically advanced and well-resourced than other cybercriminal or ransomware groups in operation today. They are able to evade existing defenses and sneak inside manufacturers’ networks without being detected, hide inside them for many years, and launch sudden attacks to cripple operational technology (OT) systems. 

China isn’t the only country doing this. Other foreign adversaries – particularly Russia and Iran – are developing similar capabilities that can be used across critical infrastructure sectors.

It is important for all companies to develop greater “cyber resilience” within their operational technology systems, to both prevent and recover from these attacks. Here are five steps toward doing so.

1. Maintain Accurate IoT/OT Asset Inventory

Sophisticated threat actors like Volt Typhoon move laterally across a network through a stealth tactic called “living off the land” (LOTL). 

LOTL is different from a conventional cyber breach because instead of using malware, which is “noisy” and easier to detect, the threat actor takes advantage of legitimate assets already in use on the organization’s network. This makes it significantly harder for security teams to detect malicious activity. It’s important for manufacturers to follow CISA’s best practices, such as implementing detailed and centralized logging, proactively hardening IT and OT devices and monitoring IoT/OT devices for configuration and state drift—and most importantly, maintaining a current asset inventory of all connected devices.

2. Conduct Regular Device Risk Posture Assessments 

Volt Typhoon first gains entry to an organization by compromising exposed IP-connected devices, such as routers, VPNs and firewalls. This is usually done by exploiting weak or stolen credentials or unpatched vulnerabilities.

This tactic is increasingly common among sophisticated attackers. That’s because the vast majority of network and IoT devices are not properly secured or managed. It is vital that manufacturers fix these basic problems. Our research has found that within major industries like manufacturing, 70% of these devices contain unpatched high to critical state vulnerabilities and 75% have default passwords.

3. Focus on Fundamental Device Security Hygiene

The ultimate goal of these attacks is to access the company’s operational technology systems. To do this, the threat actor will frequently hijack remote access accounts that employees and contractors use to manage OT systems, or compromise unmanaged/unmonitored IP-connected devices such as network gateways. Attackers also use their own custom tools from inside the manufacturer’s network – however, in most cases they still take advantage of default or stolen credentials, or an unpatched vulnerability, to get into the device. 

This is why it is critical for manufacturers to maintain basic security hygiene across all of their connected devices, including password rotations, configuration management and firmware updates. Those basic steps will counteract the vast majority of even highly sophisticated cyber attacks. 

4. Establish and Maintain Secure Device Configurations

State-sponsored cyber actors are actively using industrial control system (ICS) attack frameworks that take advantage of the native functionality and built-in weaknesses of OT/ICS devices. These malicious frameworks can gain control and subvert ICS devices by exploiting and weaponizing insecure features or settings, such as open remote network services and excessive privileges. 

These product design weaknesses pose a fundamental challenge for manufacturer security. However, it is possible to mitigate these risks by hardening ICS devices, such as removing risky permissions and disabling remote services.

5. Remove Dangerous Devices

In 2022, the FCC issued a ban on the sale or importation of devices made by several Chinese manufacturers that it considers to pose “an unacceptable risk to national security of the United States or the security or safety of United States persons.” CISA Director Jen Easterly also recently warned that Chinese-made technologies, which are increasingly prevalent within U.S. critical infrastructure, are “ultimately controlled by the CCP.” 

What this means for manufacturers is that legitimate devices – from camera systems and sensors to ICS equipment (or components) – could be used for covert data collection or to provide unauthorized access into the manufacturer’s systems through concealed backdoors. Future firmware updates to these devices could also install new malicious features that will bypass detection. 

Manufacturers can reduce this risk by identifying and removing all high-risk devices. If removal isn’t possible, then they can take several device-level actions to limit these potential risks, such as changing passwords, disabling services and reducing connectivity. 

Shifting to a “Left of Boom” Strategy

With the growing threat of destructive cyber attacks, manufacturers should evolve their security strategies to develop greater resilience within their OT systems. This means shifting from a passive “monitor and detect” strategy to a more proactive “left of boom” approach that focuses on preventing attacks by hardening the attack surface, limiting lateral movement and preventing the subversion of OT systems.

This requires hardening all IoT, OT and ICS assets by fixing common cyber-hygiene issues, including default passwords, outdated firmware, unpatched vulnerabilities, risky configurations (especially active remote network services) and more. It also requires constant device-centric drift monitoring to instantly alert the security team if any device suddenly deviates from this secure state – which may be a sign of an active attempt underway to hack the device.