Skip to content
Longterm Wiki

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA

web
CISA·cisa.gov/news-events/cybersecurity-advisories/aa24-038a

Credibility Rating

4/5
High(4)

High quality. Established institution or organization with editorial oversight and accountability.

Rating inherited from publication venue: CISA

This CISA advisory documents PRC state-sponsored cyber actors (Volt Typhoon) pre-positioning in U.S. critical infrastructure, relevant to AI safety as it illustrates how adversarial actors exploit AI-adjacent systems and the governance challenges of securing critical infrastructure against nation-state threats.

Metadata

Importance: 42/100guidance documentprimary source

Summary

CISA, NSA, FBI, and international partners warn that PRC state-sponsored group Volt Typhoon has compromised U.S. critical infrastructure sectors—including communications, energy, transportation, and water—using living-off-the-land techniques to maintain persistent, long-term access. The advisory assesses these actors are pre-positioning for potential disruptive cyberattacks during geopolitical crises or military conflict. Recommended mitigations include patching, phishing-resistant MFA, and centralized logging.

Key Points

  • Volt Typhoon has maintained persistent access to U.S. critical infrastructure IT environments for at least five years using stealthy living-off-the-land (LOTL) techniques.
  • Targeted sectors include Communications, Energy, Transportation Systems, and Water/Wastewater, including non-continental U.S. territories like Guam.
  • The group's behavior is assessed as pre-positioning for disruptive/destructive attacks during potential military conflict, not traditional espionage.
  • Key mitigations: patch internet-facing systems, implement phishing-resistant MFA, enable centralized logging, and plan for end-of-life technology replacement.
  • Allied nations (Australia, Canada, UK, New Zealand) co-authored the advisory, noting their own infrastructure may face similar or cascading risks.

Cited by 1 page

PageTypeQuality
AI Cyber Damage: Bounding the TailAnalysis--

Cached Content Preview

HTTP 200Fetched May 4, 202693 KB
Cybersecurity Advisory 
 
 PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure 

 

 
 Release Date February 07, 2024 

 

 
 Alert Code AA24-038A 

 
 
 
 Related topics: 
 
 Nation-State Threats , Critical Infrastructure Security and Resilience , Cyber Threats and Response 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 Actions to take today to mitigate Volt Typhoon activity:

 
 
 
 
 Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.

 Implement phishing-resistant MFA.

 Ensure logging is turned on for application, access, and security logs and store logs in a central system.

 Plan “end of life” for technology beyond manufacturer’s supported lifecycle.

 
 
 
 
 

 
 
 
 
 
 SUMMARY 

 The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.

 CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus):

 
 U.S. Department of Energy (DOE)

 U.S. Environmental Protection Agency (EPA)

 U.S. Transportation Security Administration (TSA)

 Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)

 Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE)

 United Kingdom National Cyber Security Centre (NCSC-UK)

 New Zealand National Cyber Security Centre (NCSC-NZ)

 
 The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications , Energy , Transportation Systems , and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or m

... (truncated, 93 KB total)
Resource ID: b4170ac67eaac201 | Stable ID: sid_nds4ON0stw