The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), along with key U.S. and international government agencies published a Joint Cybersecurity Advisory recently on malicious activity by a People’s Republic of China (PRC) state-sponsored cyber actor, known as Volt Typhoon, to compromise critical infrastructure and associated actions that should be urgently undertaken by all organizations.

CISA and its U.S. Government partners have confirmed that this group of PRC state-sponsored cyber actors has compromised entities across multiple critical infrastructure sectors in cyberspace, including communications, energy, transportation, and water and wastewater, in the United States and its territories.

The data and information CISA and its U.S. Government partners have gathered strongly suggest the PRC is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.

In addition to the joint Cybersecurity Advisory, CISA and our partners also released complementary Joint Guidance to help all organizations effectively hunt for and detect the sophisticated types of techniques used by actors such as Volt Typhoon, known as “living off the land.” In recent years, the U.S. has seen a strategic shift in PRC cyber threat activity from a focus on espionage to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure. By using “living off the land” techniques, PRC cyber actors blend in with normal system and network activities, avoid identification by network defenses, and limit the amount of activity that is captured in common logging configurations.

Detecting and mitigating “living off the land” malicious cyber activity requires a multi-faceted and comprehensive approach to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. This advisory and complementary guidance provide organizations with details on how Volt Typhoon cyber threat actors use “living off the land” techniques to abuse legitimate, native tools and processes on systems, and identifies specific details on the actors’ tactics, techniques, and procedures (TTPs) using certain adversarial behavior patterns.

“The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” said CISA Director Jen Easterly. “Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders. We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”

Today’s joint advisory is based primarily on technical insights gleaned from CISA and industry response activities at victim organizations within the United States, primarily in communications, energy, transportation, and water and wastewater sectors. Our complementary joint guide is derived from those insights as well as previously published products, red team assessments, and industry partners.

The new advisory and guide have been jointly issued by CISA, National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), Transportation Security Administration (TSA), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE), United Kingdom National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ).