Why Australia should care about the Volt Typhoon hacking network

Claroty

By Leon Poggioli*
Wednesday, 20 March, 2024

On the 7th of February, the FBI, NSA and CISA issued an advisory that Volt Typhoon, a state-sponsored cybercriminal group, had maintained persistent access inside the networks of many American Critical Infrastructure organisations, in some cases, for as long as five years.

If Volt Typhoon hackers were lurking inside American critical infrastructure undetected for this long, it’s reasonable to assume the same for Australia’s critical infrastructure.

I believe that the bulk of nation-state attacks on critical infrastructure are not intended to launch an attack immediately. Rather, their purpose is to perform valuable reconnaissance, lay dormant in preparation for when nations are at war and then strike when the time is right, launching a cyber attack to disrupt a nation’s domestic critical infrastructure. We’ve seen this already in cyber attacks against Ukraine, where Kyivstar, Ukraine’s largest mobile operator, was taken offline by state-sponsored hackers.

While Australia has taken solid steps to protect its critical assets, including legislation such as the Critical Infrastructure Act, SOCI and AESCSF, as well as all of our cybersecurity standards and frameworks, the US is arguably more mature in its cyber posture — so it’s reasonable to assume that our critical infrastructure in Australia could also be compromised by Volt Typhoon.

So, how can we identify nation-state activity, or better yet, keep them out of our networks altogether?

The approach is simple: to protect any territory, it first needs to be mapped. This involves taking a detailed inventory of all internet-connected assets and analysing the network traffic to and from these assets in real time. With accurate mapping, any unauthorised access attempts by hacking groups (who often take the ‘low and slow’ approach to evade detection) can be identified and terminated. Critical vulnerabilities, particularly on external-facing devices, need to be remediated as a priority in order to avoid these vulnerabilities being exploited, such as in the case of the cyber attack on Denmark’s power grid last year.

Particular attention must be paid to the network perimeter, which is where attackers enter and gain a foothold into these networks. Previously, network operators would simply ‘air gap’ their industrial control systems from the outside world, but in the age of growing remote connectivity, the only thing this strategy delivers nowadays is a false sense of security.

Once appropriate network protections have been put in place to block new unauthorised access, the control system network must be monitored.

The mitigations listed above are technical controls, which are only one part of the equation. We must also look at Australia’s cyber culture, particularly among critical infrastructure organisations, and the imperative that mistakes and oversights are learned from. By driving an open culture of disclosure, we will be able to learn from successful attacks and prevent attackers from recycling their cyber-attack playbooks onto other victims in future.

By working together to protect our critical infrastructure, we’ll be able to maintain essential services for Australians and protect our modern way of life.

*Leon Poggioli is the Australia & New Zealand Regional Director at Claroty, a technology company focused on cybersecurity for industrial control systems and healthcare environments.