“Volt Typhoon” Cybersecurity Threat Warning for Financial Institutions

A Radical Shift in Hacking Calls for a Focus on Fundamental Controls

According to the heads of the top federal agencies with responsibility for monitoring cyber threats against the U.S., a hacking technique known as “Living Off the Land” is being used to compromise critical networks by permitting undetected intrusions into critical systems. In this technique, hackers use privileged access credentials and pre-position themselves in networks until they are ready to attack. The widespread shift to “Living Off the Land” means both industry and regulators need to reassess their approaches to address IT security, particularly privileged access management.

The Threat is Called Volt Typhoon

“Volt Typhoon” is the People’s Republic of China’s (PRC’s) state-sponsored cyber group focused on positioning itself inside the computer networks of critical infrastructure to cause destructive or disruptive cyber activity to our country when the PRC chooses.

The most important thing to know about Volt Typhoon is their hacking techniques have permitted undetected intrusion. The PRC is interested in critical infrastructure that can disrupt our way of life, so it is not only focused on the financial sector but also the communications and power sectors, upon which other sectors are dependent. The group’s infiltration was discovered about a year ago, but it dates to at least 2021.

CISA Recommends Focusing on the Fundamentals

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended four primary actions to mitigate Volt Typhoon activity, which can best be summarized as focusing on the fundamentals – patching, Multi-Factor Authentication (MFA), logging, and “End of Life” management.  These are well-known controls that have been employed for years. However, the PRC is using weaknesses in implementation of these controls to gain access. For example, even though all bankers log network activity, the PRC is exploiting the short log retention periods and lack of logging of routine administrative activity.  Chief Information Security Officers (CISOs) need to take a deeper look at not just logging activity but all aspects of privileged access management. Bankers should address these vulnerabilities immediately rather than waiting for an IT examination. We expect to see these techniques being exploited more broadly by other criminal hackers as well.

From Cybersecurity & Infrastructure Security Agency (CISA) Director Jen Easterly’s Congressional Testimony, in Jan. 2024: “This threat is not theoretical…CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors…And what we’ve found to date is likely the tip of the iceberg. Given the malicious activity uncovered by CISA, NSA, FBI, and industry partners, we are acting now, knowing that this threat is both real and urgent.”

Industry and Regulators Must Work Together to Stop the Threat

To help protect the industry against the rapidly moving exploitation by the PRC and similar criminal activity from other bad actors, the DFPI and other state regulators are evaluating options to help ensure that CISA’s recommendations are being implemented effectively.

As these recommendations will involve restricting compromises of privileged access, we must look beyond on-site users. We must look at how all these credentials are managed, especially access given to third parties such as Managed Service Providers (MSPs). MSPs often require full access and control of your network. So, an enhanced look at vendor management is needed.

Cyber threats evolve at internet speed, while IT examination cycles are based on a frequency developed long before the internet existed. The current threat is not theoretical. It is both real and urgent; therefore, financial institutions and regulators need to work together now to protect the financial sector.

Please send suggestions/comments to Financial Institutions Manager Matthew Fujikawa at [email protected].