FORT MEADE, Md. – The National Security Agency (NSA) has joined partners to issue a Cybersecurity Advisory (CSA) to address People’s Republic of China (PRC) targeting of U.S. critical infrastructure. The CSA, entitled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” is led by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with NSA, the Federal Bureau of Investigation (FBI), and additional government agencies.
The CSA focuses on PRC-sponsored cyber actor, Volt Typhoon, targeting IT networks of communications, energy, transportation, water, and wastewater organizations in the U.S. and its territories. The authoring agencies recognize the reality that the PRC has already compromised these systems. In some cases, the cyber actors have been living inside IT networks for years to pre-position for disruptive or destructive cyberattacks against operational technology (OT) in the event of a major crisis or conflict with the United States.
“This is something we have been addressing for a long time,” said Rob Joyce, NSA’s Director of Cybersecurity and Deputy National Manager for National Security Systems (NSS). “Our insights on PRC pre-positioning have driven action across the cyber community. We have gotten better at all aspects of this, from understanding Volt Typhoon’s scope, to identifying the compromises likely to impact critical infrastructure systems, to hardening targets against these intrusions, to working together with partner agencies to combat PRC cyber actors.”
The CSA notes Volt Typhoon’s choice of targets and pattern of behavior are not consistent with traditional cyber espionage or intelligence gathering. Their ability to access operational technology (OT)could allow the group to disrupt OT functions across multiple critical infrastructure entities.
This report is paired with a technical guide, also released today, entitled “Identifying and Mitigating Living Off the Land (LOTL).” LOTL is a technique often used by Volt Typhoon to access and embed undetected in existing systems.
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations