Understanding and Mitigating Volt Typhoon Attacks 

Organisations worldwide are facing a new era of cyber threats, in recent months news has broke that numerous critical infrastructure operators have had their IT systems compromised by Volt Typhoon (aka Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). Further illustrated by the recent breach of Microsoft’s corporate network by the Midnight Blizzard Hacking Group, which is confirmed to have accessed and stolen source code after breaching executive emails. 

One adversary that stands out for its sophistication and persistence is Volt Typhoon. Identified as a state-sponsored cyber threat originating from the People’s Republic of China, Volt Typhoon poses a significant risk to critical infrastructure, particularly targeting Active Directory (AD) systems. Volt Typhoon exploits known, or zero-day vulnerabilities found in public-facing network appliances such as VPNs, firewalls, and routers to initially breach the IT network. 

As businesses grapple with these increasingly advanced challenges, the need for an adopted security mindset is more prevalent than ever before. Businesses need to do more to protect their data and update their security strategies to battle against sophisticated threats effectively.  

Below, we delve into the nuances of Volt Typhoon attacks, share the implications they can have for organisations and the practical strategies to adapt and innovate your organisation’s security approaches effectively.

Understanding Volt Typhoon Attacks

Volt Typhoon attacks are not merely random acts of cyber vandalism, they are meticulously planned and executed operations. 

These attacks operate discretely and are also known as “Living off the Land,” attackers blending seamlessly into legitimate network activities and evading detection methods. Leveraging a combination of legitimate tools and techniques, adversaries can establish persistence within compromised systems, posing a significant threat to organisational security. 

The recent breach of Microsoft’s corporate network by a Russian government-backed hacking team, the Midnight Blizzard Group, highlighted the ongoing attack involving the theft of source code and unauthorised access attempts to internal systems. The attack targeted Microsoft’s internal computer systems, with the attackers reportedly gaining access to source code repositories.

This group also known by Nobelium or APT29 has a history of other high-profile attacks, including the SolarWinds supply chain breach in 2020. Their ability to penetrate well-defended targets underscores the need for organisations to remain vigilant and strengthen their defences against advanced adversaries like Volt Typhoon.

Safeguarding Active Directory Infrastructure

Active Directory (AD) is a centralised directory service by Microsoft, managing user identities and access controls in an organisation’s network. It streamlines authentication, authorisation, and resource management. However, it’s frequently targeted by cyber adversaries for unauthorised access or disruptions due to its critical role in security infrastructure.

According to a report by Sophos, it only took attackers 16 hours to breach Active Directory in a majority of cases. The risks posed by Volt Typhoon are significant, with potential impacts including intellectual property theft, financial losses, service disruptions, reputational damage, and regulatory fines. Given their capabilities, motivations, and recent campaigns targeting critical infrastructure sectors, the likelihood of intrusion for organisations is high. Understanding these risks can help prioritise security investments and allocate resources effectively, ensuring a robust defence against sophisticated adversaries beyond conventional defences. 

Recognising the Limitations of Traditional Security Measures

Traditional perimeter defences are no longer sufficient against the sophistication of state-sponsored hackers. Volt Typhoon and similar threats easily bypass these barriers. Once inside the network, the actor’s ability to move laterally and escalate privileges makes it difficult to detect and contain the threat, necessitating comprehensive and proactive security measures that anticipate future threats.

Addressing Implementation Challenges

While frameworks like MITRE Attack offer valuable insights, implementing specific controls presents challenges due to the evolving threat landscape. Organisations must prioritise defences and adopt a holistic approach that addresses underlying vulnerabilities. 

Mitigating Volt Typhoon attacks requires a multifaceted approach that encompasses both proactive prevention and reactive response measures. Implementing robust network segmentation, deploying advanced endpoint protection solutions, sharing threat intelligence, and establishing proactive incident response protocols are essential components of an effective defence strategy, some of which are also mentioned in the release of CISA’s factsheet. 

Data-Centric Segmentation: A Revolutionary Solution

Amidst these challenges, the need for a data-centric segmentation approach emerges as the revolutionary solution. By prioritising data protection and risk mitigation, organisations can bolster their defences against sophisticated adversaries like Volt Typhoon.

Certes DPRM, with its policy-based crypto-segmentation, offers enhanced protection for AD, not only preventing unauthorised access but also protecting the data by rendering stolen information unusable even after a breach. By disrupting Volt Typhoon’s attack chain, Certes DPRM mitigates lateral movement and privilege escalation, ensuring data security remains uncompromised at all times.

To combat threats like Volt Typhoon, organisations must adopt a proactive, innovative, and holistic approach to cybersecurity. By embracing data-centric segmentation and leveraging advanced security solutions like Certes DPRM, businesses can outpace adversaries and safeguard critical assets in an increasingly hostile digital landscape. 

To find out more about how Certes DPRM can help protect your Active Directory and beyond, read our whitepaper on “Going on the Offensive – Tackling Volt Typhoon attacks on Active Directory”.