Note: this article was triggered by a Dragos report and briefing Tuesday on Volt Typhoon (they call it VOLTZITE) and its potential future impact on cyber/physical systems.
The real message, the key takeaway on Volt Typhoon for those running critical infrastructure ICS (energy, water, transportation, critical manufacturing, etc.) is adversaries are and will continuously be trying to be pre-positioned and persistent on your IT and OT networks. Volt Typhoon isn’t important, except for IOCs and TTPs. The recognition and acceptance that this is the status quo is what’s critical.
I’m surprised it has taken this long. I wrote and spoke first about this in 2013.
An offensive organization often cannot wait until the weapon is needed to develop and deploy it. Developing and pre-staging weapons is common. If you want to take out an enemies fuel supply, water or electricity when hostilities start, it is necessary to have the offensive weapon in place for that possible conflict.
We, Americans, can moan about how this shouldn’t happen, but it is the status quo and even the United States is doing it as well. More palatable terms like Defend Forward are used, but it’s the same. The best book I’ve read on this is Cyber Persistence Theory by Fischerkeller, Goldman and Harknett, and if you don’t have time to read the book then watch my interview with Michael Fischerkeller.
Still skeptical? The forward for Cyber Persistence Theory is written by Gen Nakasone, who was the head of USCYBERCOM at the time. He gives the authors credit for “laying the foundation for the Command’s approach of Persistent Engagement”.
One of the key concepts in Cyber Persistence Theory is the fait accompli.
fait accompli imposes a limited unilateral gain at an adversary’s expense in an attempt to get away with that gain when the adversary chooses to relent rather than escalate in retaliation.
Gaining access and persistence to non-classified critical infrastructure IT networks falls under fait accompli today. We don’t know yet about access and persistence to OT networks, and my guess is this would also not result in a country escalating in retaliation. It would take using the access to cause a moderate to high consequence event, taking out the power for 24 hours in Denver for example, to move past the fait accompli. We never really know until it happens.
The fact that the Chinese succeeded and got caught doing this is newsworthy. The fact that countries and other players are trying to get access and maintain persistence in critical infrastructure is not.
OT Impact
I read the Dragos report closely as well as Rob Lee’s word choice in the media briefing on VOLTZITE. To the best of their knowledge, it had not gotten into OT (based on the briefing, the report states there was one instance of it reaching Stage 1 of the ICS Cyber Kill Chain). The protection measures prevented it from reaching OT.
The question is: how hard was it trying to reach OT and exfiltrate information on OT? The report is largely silent on this. In the briefing Rob said they saw many instances of VOLTZITE exporting OT information from IT that could be used to prepare for a future cyber/physical attack. Was this part of a specific data request or a general vacuuming up of information? Either way going back to the fait accompli, exfiltrating information on OT would unlikely lead to escalation.