Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Thank you to the OODA Loop News Brief team for surfacing our initial report of the Volt Typhoon Zero Day attack (Chinese APT Volt Typhoon Caught Exploiting Versa Networks SD-WAN Zero-Day). This attack occurs fast on the heels of a renewed, very specific warning that was just issued at Black Hat USA a couple of weeks ago (characterizing the recent CrowdStrike incident as a ‘dress rehearsal’ of what the impacts of a major attack on U.S. Critical Infrastructure would look like – and then some). In this post: more details of the recent zero day attack – and the What Next? from the perspective of the firm, strident, strategic messaging by CISA and national security experts over the course of the last two years. If this threat vector has been on your organizations strategic back burner to date – time to shift to the Decide and Act of your internal OODA Loop ASAP.
Versa Networks systems have been attacked by Chinese APT Volt Typhoon. Malware hunters have found that the Chinese APT Volt Typhoon have exploited a zero-day vulnerability in Versa Director systems. CISA has moved to classify this vulnerability as a “must patch” vulnerability due to this attack. Versa Networks released a statement saying that clients which have properly updated their security systems are not likely to be comprised by the attack. Read more: https://www.securityweek.com/chinese-apt-volt-typhoon-caught-exploiting-versa-networks-sd-wan-zero-day/
Government agencies within the Five Eyes countries (US, UK, Canada, Australia, and New Zealand) have issued a threat warning for critical infrastructure entities of Volt Typhoon. Volt Typhoon is a Chinese state-sponsored group that has hacked thousands of organizations internationally.
Five Eyes agencies are currently providing guidance for critical infrastructure organizations to protect against the potential threat of Volt Typhoon. This comes following a February CISA advisory regarding Volt Typhoon. The warning detailed Volt Typhoon’s ability to position itself within critical infrastructure networks and potentially disrupt or destroy the infrastructure. So far, the APT Volt Typhoon has been hacked into US critical infrastructure sectors including energy, transportation, water, and communications systems. The Five Eyes agencies advise critical infrastructure entities to empower informed resourcing decisions on behalf of cybersecurity teams. They also advise the utilization of intelligence-informed prioritization tools as a means of defense. Other forms of guidance include the implementation of incident response plans, detection, and hardening practices. The creation of information security contingency plans is also key. According to Five Eyes agencies, another facet of protection is the securitization of supply chains and vendor risk management processes as a means of defending against the APT Volt Typhoon.
Researchers accused Chinese government-linked hacking group Volt Typhoon of exploiting a zero-day vulnerability in network management platform Versa Director in an effort to breach internet service providers and technology companies, including those in the United States. Earlier on Monday, Versa announced that it had fixed a high-severity flaw, tracked as CVE-2024-39717, noting that it was exploited in the wild by an unnamed nation-state hacker group “at least once.” The bug also had been added to the Cybersecurity and Infrastructure Security Agency (CISA) known exploited vulnerability catalog over the weekend. This flaw affects all Versa Director versions prior to 22.1.4.
Versa Director works as a central command center, allowing tech specialists to easily set up, monitor, and manage their networks across multiple locations. This makes Versa servers an “attractive target for threat actors seeking to extend their reach within enterprise network management,” according to researchers at Lumen Technologies. In a report on Tuesday, the researchers attributed the exploitation of this vulnerability, “with moderate confidence,” to the notorious China-backed hacker group Volt Typhoon. The group has previously targeted U.S. energy and defense companies, with its hallmark campaign involving the infiltration of home routers to launch other attacks.
In the latest incidents, Volt Typhoon exploited the flaw in Versa Director to upload a sophisticated, custom-tailored web shell named VersaMem. This web shell was used to intercept and harvest credentials, as well as execute arbitrary malicious code on compromised servers while avoiding detection. The targets of Volt Typhoon’s latest campaign reportedly include four U.S. victims and one non-U.S. victim in the internet service provider, managed service provider, and information technology sectors.
“…the threat is not theoretical…every CEO, every business leader, every board member for a critical infrastructure company [must recognize] that cyber risk is business risk, and managing it is a matter of both good governance and fundamental national security.” – CISA Director Easterly
6 minutes, 13 seconds in length – and worth a quick listen/watch for the strategic assessment of this threat vector. In January 2024, “CISA Director Jen Easterly gave her opening statement before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party.”
By Jen Easterly and Eric Goldstein
Easterly’s statement above builds on the secure by design mandate first positioned in a Foreign Policy magazine essay by Easterly and co-author Goldstein in February 2023:
“Despite a global multibillion-dollar cybersecurity industry, the threat from malicious cyber-activity, from both criminal and state actors, continues to grow. While many cyber incidents are never reported by their victims, Verizon’s 2022 Data Breach Investigations Report noted that ransomware attacks rose 13 percent that year—more than the past five years combined. These breaches included attacks that threatened public health and safety, with several hospitals across the United States forced to cancel surgeries and divert patients because they were locked out of their systems.”
Easterly warns of destructive cyberattacks from China that could cause widespread outages
The recent global technology outages caused by an update sent out from cybersecurity firm CrowdStrike should serve as a ‘dress rehearsal’ for the kind of issues officials anticipate in the event of a destructive cyberattack by China-linked hackers, according to one of the top cybersecurity leaders in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said [in a panel at Black Hat] that escalating tensions between China and Taiwan have led Beijing to seek ways to launch destructive attacks against the island nation and its allies – including the U.S. Why it matters:
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly warns of potential severe cyber threats from China, specifically following increasing tensions with Taiwan. These anticipated attacks could induce societal panic by sabotaging US systems such as pipelines, water systems, and transportation systems. The potential severity of these cyber threats is underlined by China’s state-sponsored group, Volt Typhoon, planning similar attacks.
Following recent global technology outages instigated by a faulty update from CrowdStrike, officials including Easterly have called for increased preparedness for cyber incidents. This incident, impacting thousands of facilities and vendors worldwide, is seen as a useful exercise in anticipating and responding to likely threats from China. Efforts by US officials to both eradicate Volt Typhoon hackers and strengthen critical infrastructure indicate the importance of a multi-pronged approach to cyber threat management. Findings show that these hackers have preserved access within victim IT environments for over five years, emphasizing the need for long-term resilience, faster recovery, and continual vigilance against evolving strategies of attack.
For our News Briefs and Original Analysis research efforts to date on this topic, go to:
Microsoft, CISA, NSA, FBI, and the Five Eyes on the PRC’s Advanced Persistent Threat: Volt Typhoon: OODA Loop Contributor Emilio Iasiello provided the initial coverage of a “cluster of activity” linked to China, targeting networks across U.S. critical infrastructures and Guam: Chinese Cyber Activities Against Critical Infrastructure Raises the Stakes in U.S.-China Relations. As is always the case with Emilio’s weekly contribution here at OODA Loop, it is worth a read. The advisory referenced by Emilio – entitled People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection – dovetails with our analysis in April of the State Department turning its strategic focus towards cyber-threat vectors in Guam, Albania, and Costa Rica.
The Crowdstrike Incident – OODA Loop Update #4: In the spirit of the significance of tracking the global impact of disruptive events and encouraging the sharing of relevant stories for compilation, the following is our latest tracking of the Crowdstrike Incident since our last update on 7/22 – The Crowdstrike/Microsoft Global IT Outage Debacle: Ongoing Impacts and Recent Updates and the July 2024 OODA Network Monthly Meeting: A Real-time Discussion of the Crowdstrike Global IT Outage.
CISA Director Easterly on “Democracy’s Biggest Year: The Fight for Secure Elections Around the World”: CISA Director Jen Easterly participated in a keynote session at Black Hat USA 2024, along with international election experts Hans de Vries, COO, European Union Agency for Cybersecurity (ENISA), and Felicity Oswald, CEO, National Cyber Security Centre (NCSC) to “unpack how international leaders are approaching election security risks to the democratic processes.” Along with coverage of this keynote panel, we have compiled Director Easterly’s recent communications on the 2024 security threats and security and integrity strategies taken up by CISA and the USG in the run-up to the November 2024 Election in the U.S.
Chinese Cyber Activities Against Critical Infrastructure Raises the Stakes in U.S.-China Relations: On May 24, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), as well as the Five Eyes, issued advisories on a “cluster of activity” linked to China that has been targeting networks across U.S. critical infrastructures and Guam. Dubbed VOLT TYPHOON, the activity has been occurring since at least 2021 according to Microsoft, who appears to have been on the forefront of reporting this activity to the U.S. government, and per its May 24 release, and has since notified private sector organizations of the threat. Activity exhibited during the campaign indicated that the actors focused on sustained cyber espionage as opposed to more disruptive attacks, and targeted organizations in the communications, construction, education, government, information technology, manufacturing, maritime, transportation, and utility sectors. Once gaining initial access, these actors stole credentials in order to try to gain entry into other systems.
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has caused regional issues that affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat
Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic’s reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.
Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat
Decision Intelligence for Optimal Choices: Numerous disruptions complicate situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its data collection methods, assessment, and decision-making processes for more insights: Decision Intelligence.
Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the IT department’s or the CISO’s responsibility – it’s a collective effort involving the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses
The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance
Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront unpredictable external threats. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. Regardless of their size, all organizations should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning
About the Author
Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence