COMMENTARY: What gets perceived is real—at least to our adversaries, especially China. Their escalation of cyberattacks and military encounters has been driven by a perception that now’s the perfect time for them to engage on several fronts. What drives that perception–why now?
The political environment in the United States has undergone unprecedented events during this presidential election cycle. The sitting president has withdrawn from a campaign for a second term as the Democratic nominee. The former president, who recently survived an assassination attempt, is the Republican nominee. And the current vice president has become the official candidate for the Democrats.
For China, it’s not just a hotly-contested presidential campaign, it’s an opportunity to push its cyber agenda forward during a time of perceived upheaval and distraction around the world. The ongoing hostilities between Ukraine and Russia, combined with the continued Israel-Hamas war, create an ongoing set of crises that China will not waste.
In a previous SC Media column about Chinese APT group Volt Typhoon, I wrote the following: “It's clear what Volt Typhoon intends. They are preparing for a future war.”
Well, that time may have arrived.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Cybersecurity experts and government agencies have identified Volt Typhoon as a sophisticated threat actor, employing advanced tactics, techniques, and procedures (TTPs) to infiltrate and persist within critical infrastructure sector networks. Unlike traditional espionage, Volt Typhoon's operations suggest a pre-positioning strategy, aiming not just for information theft, but for potential disruption or destruction in the event of a major conflict. This shift indicates a strategic pivot towards cyber warfare readiness, where the battleground is both physical and digital.
In August, Volt Typhoon was linked to the compromise of Versa Director, a network management platform, via a zero-day exploit. This operation targeted ISPs and tech companies in the United States and globally. As we learned from the SolarWinds compromise, network management platforms are a top target for threat actors like Volt Typhoon.
Another way of looking at the Versa Director compromise: the likelihood that this attack was tested in other parts of the world before being deployed against the United States, what the military calls Intelligence Preparation of the Battlefield. Toward that end, Volt Typhoon has been focused on attacks against critical infrastructure in important areas worldwide, incidents that have the hallmarks of a prelude to war.
The Philippines in the crosshairs
With its strategic location in the South China Sea, the Philippines has increasingly become a target for Chinese aggression. This isn't merely coincidental, but part of a broader geopolitical strategy in which cyber capabilities are leveraged to assert dominance or influence in contested regions. While not exclusively focused on the Philippines, Volt Typhoon's activities illustrate a pattern in which cyber operations are used to probe, test, and potentially disable infrastructure that’s potentially crucial in any physical or diplomatic conflict.
Chinese military vessels, including their Coast Guard, have been ramping up aggressive interactions with the Philippine Navy. Called “gray-zone” tactics, China has been blocking, harassing, and ramming Philippine ships on a regular basis.
The Cybersecurity and Infrastructure Security Agency's (CISA) July 8 advisory on APT40, another alias for groups like Volt Typhoon, offers additional insights into China's intentions around weaponizing cyber. APT40, known for its rapid exploitation of new vulnerabilities, showcases China's commitment to maintaining a cutting-edge cyber warfare arsenal. The advisory warns of the group's ability to exploit zero-days and underscores their strategic patience in maintaining long-term access to compromised systems. This approach mirrors Volt Typhoon's tactics, suggesting a unified or at least coordinated strategy within Chinese cyber operations.
Connecting the dots around China's cyber strategy
The convergence of Volt Typhoon's activities and their modus operandi paints a picture of China's aggressive stance in cyberspace. Here's are the main elements of China's approach:
- Strategic patience: Volt Typhoon exhibits a willingness to remain undetected for extended periods, gather intelligence, and prepare for future operations. This patience aligns with China's long-term strategic goals in international relations and territorial disputes.
- Infrastructure focus: The targeting of critical infrastructure, as seen with Volt Typhoon, reflects a strategy aimed at crippling potential adversaries during conflicts, which could be economic, political, or military.
- Technological sophistication: Volt Typhoon’s rapid adaptation of new exploits indicates a robust R&D capability within China's cyber units, suggesting increased state-level investment in cyber warfare technologies.
- Geopolitical leverage: By targeting regions like the Philippines, China not only tests its cyber capabilities, but also exerts indirect pressure in geopolitical disputes, using cyber operations as a tool of diplomacy or coercion.
Implications for cybersecurity professionals
Ultimately, these discussions always end with how this impacts the end user, the employee, and the customer and what all of us can do about it. For CISOs and cybersecurity professionals, these global developments necessitate a reevaluation of defense strategies.
Start with enhanced threat intelligence: understanding the TTPs of groups like Volt Typhoon requires continuous monitoring and analysis of global cyber threats, focusing on state-sponsored actors. Second, set up proactive defenses by implementing zero-trust architectures and running regular patches and advanced threat detection systems. These steps can mitigate the risks posed by rapid exploit development. Finally, it’s paramount to ensure that critical infrastructure can withstand or quickly recover from cyberattacks. This includes physical and digital resilience, with regular drills and simulations.
Continued vigilance and daily security disciplines won’t stop all attacks, but they will make the attack less likely to succeed, and that’s how end users can be an effective first line of defense in a future cyber conflict. Remember that the more people on the front lines at businesses who are alert and understand that our adversaries view this moment as an opportunity to launch attacks, the better chances our organizations have to defend themselves.
Morgan Wright, chief security advisor, SentinelOne
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
