Cybersecurity

Threat actors in China becoming ‘more brazen,’ NSA says

Dave Luber of the NSA told IT Brew new incidents tied to Volt Typhoon are unfolding every day based on “industry and incident response reporting.”
article cover

Illustration: Dianna “Mick” McDougall, Photo: Getty Images

ByAmanda Florian

less than 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

What makes China’s cyber activity unique? According to Dave Luber, the incoming director of cybersecurity at the NSA—who started his new role March 31—it comes down to three things: “scope, scale, and sophistication.”

Speaking about Volt Typhoon and similar APT groups, Luber told IT Brew in an email that “the idea that these actors are attempting to evade common detection techniques, get persistent access, and preposition themselves to exploit our critical infrastructure is a significant concern.”

Double down. As threat actors in China continue to pose a threat, Luber noted they have become “more brazen.”

“When new vulnerabilities are disclosed, rather than stop exploitation, they double down and hack more broadly,” he said.

If conflict or another crisis were to arise between China and the US, Luber said that the People’s Republic of China could use living off the land (LOTL) techniques employed by Volt Typhoon to “disrupt operational technology (OT) functions.”

Luber also noted that the NSA has observed Volt Typhoon using “elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets.”

But what does that look like? Manipulation. For Volt Typhoon and similar groups, the access they have could cause potential disruptions to HVAC systems in server rooms or to “critical energy and water controls,” which may lead to “significant infrastructure failures.”

Luber said that new incidents tied to Volt Typhoon are unfolding every day based on “industry and incident response reporting.”

The NSA, via its cybersecurity advisories, recommends IT professionals take these and other steps to mitigate threats:

  • Use 15-character passwords or longer for all “IT and OT password-protected assets.”
  • Avoid storing “credentials on devices or systems.”
  • Regularly “review application, security, and system event logs.”
  • “Review directories for unexpected or unusual files.”
  • “Use gait to detect network proxy activities.”
  • Make note of VPN login “times, frequency, duration, and locations.”
Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.