Stay Alert: China State-Sponsored Cyber Attacker Can Evade Detection on Water and Wastewater Systems’ IT/OT Networks
EPA is issuing this alert to make water and wastewater system owners and operators aware of a new Cybersecurity Advisory (CSA) from the United States and international cybersecurity organizations. The CSA highlights recently discovered malicious activity aimed at critical infrastructure organizations in the United States. The activity is associated with a People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon.
Volt Typhoon has been active since mid-2021 and has compromised critical infrastructure organizations in the United States and its territories. Organizations affected by this campaign include the communications, manufacturing, transportation, government, and information technology sectors. Water and wastewater systems are also at high risk from this threat. Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.
One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Detecting and mitigating this attack can be challenging.
The Joint Cybersecurity Advisory (CSA) from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NSCS-UK) provides guidance on detecting and preventing this attack.
Mitigation
Water and wastewater system owners and operators should direct their network administrators to review the CSA and carry out the recommended mitigation procedures. The alert provides examples of the actor’s commands and detection signatures, which will aid network defenders in hunting for this activity.
In addition, water and wastewater owners and operators should adopt the cyber hygiene practices in CISA’s Cross-Sector Cybersecurity Performance Goals, which can reduce the risk of cyber incidents.
• Harden network servers and check event logs for executable files such as ntdsutil.exe and similar process creations
• Audit any use of system administrator privileges to confirm the legitimacy of executed commands
• Limit connections to public internet to required periods of use
• Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions
• Review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts
• Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons
• Forward log files to a hardened centralized logging server, preferably on a segmented network
The U.S. EPA Office of Water request recipients to pass along this alert to all Water & Wastewater entities. If you have questions regarding any of the information contained in this document, please contact Brandon M. Carter, Water Infrastructure and Cyber Resilience Division, USEPA (carter.brandon@epa.gov). If you find evidence of potential Volt Typhoon activity please report this activity to FBI at Internet Crime Complaint Center(IC3) | File a Complaint.