PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

US agencies, including CISA, NSA, and FBI, have identified that Chinese state-sponsored cyber actors known as Volt Typhoon are targeting critical infrastructure organizations in the US. Volt Typhoon has compromised IT networks in sectors such as communications, energy, transportation, and water systems, primarily through known vulnerabilities or zero-day exploits. The group's behavior suggests they are positioning themselves for disruptive or destructive attacks on OT assets during geopolitical tensions or military conflicts. Volt Typhoon conducts extensive pre-exploitation reconnaissance to tailor their tactics to the target environment and maintain persistent access through LOTL techniques and strong operational security. They often escalate privileges to obtain administrator credentials, allowing lateral movement to domain controllers and other devices, including OT systems. Volt Typhoon uses LOTL binaries and PowerShell to extract sensitive data from event logs and the NTDS.dit file, bypassing file locking mechanisms. They employ offline password cracking to obtain plaintext passwords and elevated access for further infiltration and discovery. Volt Typhoon has demonstrated the ability to access and manipulate OT assets, such as HVAC systems and energy controls, posing a potential threat to critical infrastructure. International partners assess that the threat to infrastructure in their respective countries is lower but could be impacted by disruptions to US infrastructure. Critical infrastructure organizations are urged to implement mitigations and hunt for malicious activity to prevent or respond to incidents.