The threat of cyberattacks against critical infrastructure in the United States has evolved beyond data theft and espionage. Intruders are already entrenched in the nation’s most vital systems, waiting to unleash attacks. For instance, CISA has raised alarms about Volt Typhoon, a state-sponsored hacking group that has infiltrated critical infrastructure networks. Their goal? To establish a foothold and prepare for potentially crippling attacks that could disrupt essential services across the nation.
Volt Typhoon embodies a threat far beyond everyday cyber crime. It indicates the dangerous reality of cyber pre-positioning — a tactic that allows cyber actors to infiltrate systems, maintain persistence and potentially launch massively destructive operations. With lifeline sectors such as communications, energy, transportation and water and wastewater systems under threat, the question is no longer if attackers are embedded within U.S. infrastructure but how deeply they have rooted themselves. And the implications directly impact national security.
Nation-state pre-positioning goes beyond espionage
Employed by nation-state actors, pre-positioning goes beyond mere intelligence gathering. By silently lurking within critical infrastructure networks, actors gain the capability to wreak havoc at a moment’s notice. These intrusions, particularly in sectors like water systems and energy grids, serve little espionage value, per Anne Neuberger, the Deputy National Security Adviser for Cyber and Emerging Technologies. This indicates that the infiltrations are likely precursors to far more disruptive objectives.
Volt Typhoon’s methodical approach has allowed them to infiltrate U.S. systems for extended periods — up to five years in some cases — without detection. They’ve targeted the infrastructure that millions of Americans depend on daily. In a time of heightened geopolitical tension, a well-timed cyberattack could grind vital systems to a halt, leaving the nation vulnerable to cascading failures across multiple sectors. The fallout could be unprecedented, impacting national security, the economy and everyday life.
Volt Typhoon’s tactical mastery
Volt Typhoon is no ordinary hacking group. This state-sponsored entity has displayed a level of sophistication that challenges even the most robust cybersecurity defenses. Through its living-off-the-land (LOTL) tactics, the group exploits legitimate network administration tools, blending seamlessly with normal traffic and making detection extremely difficult. Their use of known vulnerabilities in public-facing devices such as routers and VPNs allows them to gain access, while compromised administrator credentials give them the power to burrow deeper into networks and assess operational technology (OT) systems.
The group’s calculated patience is noteworthy. Instead of seeking short-term gains, they carefully study their targets and gain an understanding of the nuances of the systems they infiltrate. In one case, Volt Typhoon spent nine months moving laterally through a water utility’s network, gaining access to crucial OT assets, including water treatment plants and electrical substations. These infiltrations are more than a technical breach — they represent a looming threat to physical infrastructure that could manifest in catastrophic failures.
Read CISA cybersecurity advisories
The FOCAL Plan’s strategic response
In the face of these threats, CISA has developed a robust response: the Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan. This strategic framework aims to shore up federal cybersecurity defenses by driving coordinated action across agencies. The FOCAL Plan outlines how federal agencies can adopt best practices to defend against pre-positioning and other sophisticated cyber threats, promoting a holistic approach from prevention to incident response.
The FOCAL Plan focuses on five critical areas: asset management, vulnerability management, defensible architecture, cyber supply chain risk management and incident detection and response. Each area plays a crucial role in safeguarding federal systems from persistent threats like Volt Typhoon:
-
Asset management: Without knowing what assets exist within an organization, it is impossible to protect them. The FOCAL Plan emphasizes comprehensive, continuous visibility into all IT and OT assets to ensure that any unauthorized access can be detected and mitigated quickly.
-
Vulnerability management: Regular vulnerability scanning and timely patching prevent hackers from exploiting known weaknesses, shutting down one of their primary entry points.
-
Defensible architecture: Organizations must build resilience into systems, assuming that attacks will happen. This includes implementing zero trust principles to restrict lateral movement within networks and limit the damage attackers can do, even if they gain access.
-
Supply chain risk management: This addresses the growing reliance on third-party vendors. With many cyberattacks exploiting vulnerabilities in third-party systems, the FOCAL Plan emphasizes the need for agencies to closely monitor their supply chains and ensure that their vendors adhere to strict cybersecurity protocols.
-
Incident detection and response: This is the FOCAL Plan’s approach to real-time cyber defense. CISA urges agencies to deploy advanced tools like endpoint detection and response (EDR) systems, which can identify and respond to threats before they cause significant damage. The ability to share threat intelligence and coordinate responses across federal agencies is essential for ensuring that the government can act swiftly in the event of an attack.
Mitigation urgency and action
The threat landscape outlined by Volt Typhoon’s actions calls for an urgent response — not just from federal agencies but from every organization that operates critical infrastructure. The key to stopping attackers from exploiting pre-positioned access is to adopt a mentality of constant vigilance and proactive threat hunting. It’s not enough to react to attacks after they happen. Organizations must actively hunt for threats, continually monitor their systems and act quickly to patch vulnerabilities before they can be exploited.
CISA’s FOCAL Plan provides a framework, but it is up to individual organizations to implement these measures at every level. Regular security audits, comprehensive asset management and adherence to the latest cybersecurity best practices are non-negotiable. Organizations must be prepared for the reality of an attack, ensuring that they have backup systems in place. It’s vital to practice incident response through tabletop exercises and maintain open communication channels with CISA and other federal agencies.
The harsh reality is that many organizations may already have pre-positioned attackers within their networks. The objective now is to limit the damage they can do and to ensure that attackers cannot trigger even more widespread disruption.
The clock is ticking
The presence of cyber actors like Volt Typhoon in U.S. critical infrastructure is not hypothetical — it’s happening now, and the consequences of inaction could be devastating. The ability of these attackers to remain hidden within networks for years, studying their targets and preparing for destructive actions, underscores the importance of robust, proactive cybersecurity measures.
The FOCAL Plan is a step in the right direction, but the fight against pre-positioned cyber actors is far from over. It will require a sustained, coordinated effort between federal agencies, private organizations and international allies to ensure that U.S. critical infrastructure is protected and remains resilient.
Explore cybersecurity services
