EPA has released a water and wastewater sector-focused advisory that supplements previous government alerts regarding the China state-sponsored threat actor labeled Volt Typhoon (or BRONZESILHOETTE or VANGUARD PANDA), which is suspected of conducting network scanning and other reconnaissance activities targeting U.S. critical infrastructure. In addition to EPA's sector-specific concerns, prior reporting has shown the federal government is concerned the threat actor may target water and wastewater utilities, particularly if they provide services to military bases. The advisory includes new indicators of compromise (IOCs) that can be used by network defenders to detect if their systems have been breached.
Members [of WaterISAC] should review the advisory's IOCs and update their network defenses accordingly. The advisory specifically recommends network administrators:
• Scan networks for the known IOCs included in the advisory, and other unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
• Block all listed IP addresses and user-agents listed in the advisory.
• Establish baselines of normal activity, particularly for remote access and administrative actions, and look for outliers from those baselines.
Volt Typhoon is known to prefer living off the land tactics, which enables it to avoid detection by using legitimate network administration tools, so members are encouraged to conduct scanning to uncover suspicious network behavior.