In May, Microsoft uncovered that hacker group, dubbed Volt Typhoon and active since 2021, which has been busy targeting critical infrastructure organizations in Guam and across the United States. It relies on what is called “living-off-the-land” techniques, or a reliance on dual-use tools already installed on a target’s computer, while collecting data via stolen credentials after gaining access.
“Just cleaning up the environment is really where we need to go,” added Bissell during a summit session in which he was interviewed by former National Security Agency Deputy Director Rick Ledgett, who discussed Volt Typhoon in the context of broader geopolitical tensions between the U.S. and China over Taiwan.
“Let's suppose that conflict with China over Taiwan happens,” Ledgett posed. “How would you use something like critical infrastructure access to affect the US' actions in that kind of a situation?
“If that happened,” Bissell replied, “I do think this is one of the key components to disrupt either communications or even fuel systems delivery or other things that would aid in the United States or allies to be able to work in that area. I think this is very tactical, but strategic to maybe the future of what [Chinese leadership is] thinking about.”
The full interview is available below. It has been lightly edited for clarity.
THE CONTEXT
- August 2, 2022 – Despite Chinese warnings against the United States deepening ties with Taiwan, U.S. House Speaker Nancy Pelosi visits Taipei in a bid to showcase U.S. support for the island.
- October 7, 2022 – The U.S. Commerce Department orders sweeping restrictions advanced computing chips exports to and related equipment to China, which the agency says China is using “produce advanced military systems.”
- February 4, 2023 – President Biden orders the shooting down of a Chinese-operated balloon off the U.S. east coast after officials say it was spying on sensitive military sites.
- Apr 5, 2023 – Taiwan's President Tsai meets Kevin McCarthy in face of China's warnings, prompting Chinese war games in the region.
- Apr 10, 2023 – China's military pronounces that it is “ready to fight” after three days of large-scale combat exercises around Taiwan
- May 24, 2023 – Microsoft announces the discovery of Volt Typhoon, a China-sponsored hacking group focused on critical infrastructure in the United States.
Rick Ledgett, Former Deputy Director, National Security Agency
Rick Ledgett served as the Deputy Director of the National Security Agency from January 2014 until his retirement in April 2017, culminating a nearly 40 year career in cryptology at NSA and in the U.S. Army. He previously led the Media Leaks Task Force, the Agency’s response to the Snowden leaks. He was the first National Intelligence Manager for Cyber at the Office of the Director of National Intelligence, and he directed NSA’s 24/7 cyber threat operations center. Ledgett currently serves on the board of M&T Bank, is a senior visiting fellow at MITRE, a member of the National Infrastructure Advisory Council, and a Board Trustee at IDA.
Kelly Bissell, CVP, Microsoft
Kelly Bissell joined Microsoft as Corporate Vice President in 2022. Prior to this, Bissell led Accenture’s Global Security business and oversaw security services including strategic consulting, cyber defense, digital identity, response and remediation services, and managed security services. With more than 25 years of security industry experience, Bissell specializes in breach incident response, identity management, privacy and data protection, secure software development, and cyber risk management. His role at Accenture spanned strategic consulting, proactive risk management and digital identity to cyber defense, response and remediation services, and managed security services—across all industries.
Ledgett: Can you level set us on what Volt Typhoon is and what's different about it?
Bissell: What it is is very surgical, even really thoughtful about how they go attack in what we call living off the land. They use the technologies in a SOHO environment (small office/home office) and take over those devices, get real credentials, and then use that to stay connected into critical infrastructure. They did this in Guam and some other places around.
I think this causes concern because what are they going to do with it? What's the purpose? What's the mission behind it? Is it a test? Really, what they did was they just used command line access to be able to set them up for persistence around tools like Fortinet and Cisco and Delink and Netgear and all these equipment pieces that are sitting in these SOHO environments. Normally, this group that we've been tracking since 2021, they were really just collecting data. But now it seems that they were not just surgical, but they were trying to figure out how do they compromise those devices and then stay there so that they can collect more information or some future use? That's it in a nutshell.
Ledgett: What makes living off the land so difficult in this space? And what makes someone who lives off the land different from someone who deploys a zero-day attack – [a broad term used to describe security vulnerabilities of which the developer has only just learned, suggesting they have “zero days” to fix it.]
Bissell: Because they have to find the credentials to allow them into those devices anyway, so they have to use social techniques. [Or hackers can get access] if no one's changed the default password, which we still see all the time. [There are also] other ways to get into that device with valid credentials. They don't use a zero day, they use a valid credential and then of course they want to set up more credentials so that if that one's found out, they have other ways of getting in. That's the difference, really.
Ledgett: That makes it more difficult for intrusion detection systems and peripheral technology to detect them?
Bissell: Yes. It's hard to detect them when you're a valid user in the environment. This is how they can go under the radar and even if they ex-fill data out, they do it thoughtfully. They do it through normal channels that would look like normal traffic. Their goal is to be not only persistent, but be under the radar, undetected, and this is the best way that they could do it.
Ledgett: What should the public think about this? Should we all be rushing around in circles and tearing out our hair and saying, what do we do?
Bissell: Not for tearing out our hair. But I do think we all, both in very large enterprises that have [Operational technology] OT environments and plants that have this type of equipment, but also our homes, we should practice good hygiene. We should ensure that we reset our router password and our other devices in our small office or home office environments. We're not using defaults like we think about. We're actually reviewing the users that are on those devices to make sure that they are the right ones. If you just practice good hygiene of password resets, maybe some password-less or VPNs or multifactor authentication, those good hygiene actions. Then I think that they could be secure.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Ledgett: That's a good point. One the target of the entities has mainly been critical infrastructure, so things like telecommunications, power, [and] water systems – the traditional DHS catalog of critical infrastructure. One thing I noticed that was missing from there was finance. Any thoughts on why not finance?
Bissell: One is maybe they were busy trying to get into those real critical infrastructure, such as power and telecoms. Or, in areas like Guam and others that were moving to mobile payments in a different way than their traditional banking system. That's a different approach to be able to penetrate those environments than maybe what we think about here in the US. But you never know. They may move into the banking environment, too, because that is a part of the critical infrastructure.
Ledgett: What about companies outside critical infrastructure? Companies who are involved in manufacturing, but not key to defending the nation or our way of life. Someone who makes Cool Whip or someone who makes paper boxes – things that are important but aren't critical infrastructure. How should they think of this?
Bissell: I think Cool Whip should be part of critical infrastructure. At least my waist would tell you that. But critical infrastructure or many factors that maybe are not deemed part of the 16 industries, they still should pay attention to this because sometimes the intent on the attacker is one, maybe to shut down critical infrastructure or cause some disruption. Not just a critical infrastructure, but to affect the economy. If you shut down the Cool Whip plant, I'm upset, but so are millions of others around the world and it can cause economic damage. I think what they need to do is take a lesson from this and practice those same hygiene actions so that they could be safe against this. Especially Cool Whip.
Ledgett: The hygiene things you're talking about are things like pathing, network segmentation, multifactor authentication, change your passwords regularly, limited privilege, that sort of a thing. Are there any other things that should be part of this?
Bissell: If you're a big company, you could definitely do network segmentation, but sometimes these small offices, if you do those multifactor authentications, if you do password reviews and resets, I actually think going to a password-less with expiration rules and deactivating those unused accounts and so forth. Just cleaning up the environment is really where we need to go. And then if we can reduce the attack surface, so what can they do? If they can have some good firewalls in between, I would say the crown jewels of that manufacturing plant and other things, that can help them be safe against these attacks.
Ledgett: Do you think that generative AI gives adversaries the chance to do the tailored access operations approach to computer network exploitation? Do you think that's a real thing or is that unrealistic?
Bissell: It is a real thing. We know that attackers want not one method, like old and slow, but also the advanced technologies like AI. They are adopting it maybe faster than the good guys. But in this arms race, if we're moving from a knife fight to a gun fight, we got to make sure that the good guys can adopt that AI. I am most focused on not the theoretical side of AI, but applied AI. How do I use AI to really give me better insights than I didn't have before? Or I could do it much faster. I can write scripts with AI. I could actually put disparate data together, which I couldn't do before in the human side of it. I think there's so many good things that the good guys could do, but the bad guys are already moving in this direction, so we got to be watchful for that.
Ledgett: I've been maintaining for a while now that AI is actually going to help solve our cybersecurity workforce shortage in the US because we're going to automate lots of the [security operations center] SOC 1 analyst jobs. And analysts are going to be spending their time doing harder things as opposed to basic things. We'll see if that turns out to be true.
Bissell: I think you're totally right. I've been steeped to the guts of AI inside here at Microsoft for nine months. How do I kick the tires and get the kinks out of the system and apply it to an operational usage? What I'm learning is exactly what you said, I had to have these really heavyweights in the SOC writing code, testing it, and running scripts, but now I can actually bring someone that doesn't have that capability and they can actually just ask simple questions to that large language model approach.
I'm lowering the bar for what they need to do, therefore I can bring far more people to the SOC than before, maybe even business risk people that understand about mortgage fraud or ACH wire transfer fraud that maybe some SOC people didn't always understand. I think it opens the pool of cyber good guys to be able to fight within through the lens of that industry across that value chain. This is going to be really powerful. Maybe the last thing I'll say is in my 30 years of doing this, Rick, I've never been this excited about a technology around this AI component because now it's ready to be applied to real life.
Ledgett: Back to Volt Typhoon: Microsoft has been tracking them since 2021. Do we think they're a new entity or do we think they were doing something else before or we just don't know?
Bissell: I'm not sure we'll ever know for sure. But it seems to me that they were pivoting to another campaign. I would say this living off the land campaign in the critical infrastructure in Guam, and in other areas, maybe specifically in Asia for a purpose, either to build out the capability or to really have that insight in that geographic area in case future conflicts came to bear and they needed that access. Actually, it seems to me that maybe it was a previous group, but this is a new campaign.
Ledgett: Let's suppose that conflict with China over Taiwan happens. How would you use something like critical infrastructure access to affect the US' actions in that kind of a situation?
Bissell: I think if that happened, I do think this is one of the key components to disrupt either communications or even fuel systems delivery or other things that would aid in the United States or allies to be able to work in that area. I think this is very tactical, but strategic to maybe the future of what they're thinking about. I think that we got to be really thoughtful about what this could do and how do we counter this? This is why I think we've got to just keep that whole area as safe as possible from a cyber-attack so that we don't have a disruption in the future.
Ledgett: Microsoft, when you guys published the report in May, you said that you'd set up Microsoft Defender and other security tools that you had in order to recognize and alert on this. And then just recently, CrowdStrike released a report that basically said the adversary had pivoted some of his techniques and was now looking at different entry points into the network and different ways of gaining initial access and maintaining persistence. As that happens, is there collaboration between you guys on security things? Is there a working back and forth where you tip each other off?
Bissell: No matter what our software companies have, the threat intel analysts, the response teams, we all work pretty fluidly together. Even later today, I'll be on a call jointly with Google and [CEO of Mandiant at Google Cloud] Kevin Mandia's team around how we're working together to keep a particular customer safe. I think right now, we're pretty collaborative. But I do think that we have a professional courtesy with each other to make sure that we work together to keep the world safe.
Ledgett: It's nice to see companies working that way where it's not just about my company, it's about my company and our collaborative cooperative effort.
Bissell: That's our collective mission. I think [former National Cyber Director] Chris Inglis would say they have to beat all of us to beat one of us. And I think that we got to stick together on this. We really do.
Ledgett: Anything else you'd like to say about Volt Typhoon?
Bissell: Volt Typhoon is just one campaign as I see it. I think there's a tactical thing and a technical view of it. There is maybe a geopolitical view of it that we have to pay attention to. And then what does this campaign have to do with this other campaign over here and this other one? The more we share with our partners, like you suggested, around CrowdStrike and Paolo and Google and AWS and all these. We've got to do more together because then we can see the complete picture for what seems to be going, and not just in the private sector, but also governments and law enforcement.
I've seen a big change in the last two or three years around public private partnership, and I would actually applaud the Cipher Brief because that was one of the things that pulled us all together to start us acting or operating well together. I think there's more to do, but I'm excited about what we're going to do in the future with the [Cybersecurity and Infrastructure Security Agency] CISA, with [Government Communications Headquarters] GCHQ or the [National Cyber Security Centre] NCSC in the UK. Same with Australia and all of our partners around the world. This is just a start for us to be far more collaborative than in the past.
Ledgett: Microsoft obviously is a big company and it's an important company, and it's great to see you guys understanding your role and stepping up to the role and taking a leadership role.
Bissell: In many ways, it's not only our opportunity, it's our responsibility. There's always more that we can do.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because national security is everyone’s business
