Volt Typhoon, the Chinese government-backed cyberspies whose infrastructure was at least partially disrupted by Uncle Sam, has been honing in on other US energy, satellite and telecommunications systems, according to Robert Lee, CEO of security shop Dragos.
Lee reported that his biz has been responding to Volt Typhoon activity for about a year and a half and offered additional insights into the intrusions. Earlier Tuesday, news broke that the FBI had obtained a court order to remotely disable parts of the PRC-backed crew’s cyber campaign.
“We’ve been involved in incident response cases, as well as using our intelligence and capabilities to track that group and identify where they’ve been targeting,” Lee said.
These targets, he added are “very strategic sites, the types of sites you’d really want to go after in conflict, focusing on US energy systems, as well as US satellite and telecommunication networks.”
Volt Typhoon “consistently chooses industrial targets, goes after those targets, and plays this low and slow game,” Lee said.
This particular espionage gang, he added, has the resources and the technical capabilities to develop “Pipedream-like capabilities.”
Pipedream, an industrial control system (ICS) specific malware that Dragos uncovered in April 2022 after spotting it in an unnamed organization’s OT environment. Mandiant calls this set of ICS attack tools “Incontroller,” and notes that it is “consistent with Russia’s historical interest in ICS.”
The malware doesn’t exploit a particular vulnerability in these systems, but rather allows the operators to interact with a variety of industrial equipment from multiple vendors, and then disrupt or even physically destroy critical devices.
Shortly after the threat hunters sounded the alarm on this new nation-state cyber weapon, several US government agencies (CISA, NSA, FBI and Department of Energy) warned that programmable logic controllers from Schneider Electric and Omron Electronics, Open Platform Communications Unified Architecture servers and other devices were at risk.
To date, Drgos does not believe Pipedream has been used in a critical infrastructure attack, Lee said.
“It was the thing they were ready to use when they were ready to go to armed conflict,” he said. “That capability allows you to interact with industrial networks and environments to cause physical destruction. And it works on all the different industries from a water system to a carbon cracker to a servomotor on an unmanned aerial vehicle.”
The malware “takes advantage of native functionality” inside of industrial environments, meaning that it can’t be fixed by patching a hole or updating the software or firmware, Lee added.
This means the threat still exists.
“What concerns me is other countries are working on very similar capabilities,” Lee said. “And these capabilities are going to start proliferating to criminals.”
Presumably countries like Russia and China would wait and use these types of destructive attacks against critical systems during times or war. The Volt Typhoon campaign, for example, could allow China to disrupt US military operations in the Indo-Pacific region in the case of a Chinese invasion of Taiwan, according to some national security sources.
However, once profit-motivated criminal gangs get ahold of these types of tools, Lee said he expects these destructive attacks to become more commonplace. He pointed to the rise in popularity of Cobalt Strike and other legitimate offensive security tools among ransomware gangs to prove this point.
“Criminal actors no longer needed to develop their own capabilities, malicious software vulnerabilities, etc.,” Lee said. “They literally buy off-the shelf tools that are commonly used, and then just worry about operating them.”
When Cobalt Strike became available, “you saw massive amounts of criminal groups spin up overnight being able to leverage it. When Pipedream or Pipedream-like capabilities leak out in the community, they will be the Cobalt Strike of OT. That’s the stuff that worries me.” ®