In recent weeks, the Chinese government-sponsored cyber threat actor, VOLT TYPHOON, has come to the forefront of cyber threat reporting. The group is associated with targeting organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, energy, water and wastewater, and education sectors. It seeks to gain access to critical infrastructure, primarily in the United States, and establish persistence for potential use in disruptive or destructive attacks in the event of a larger geopolitical conflict.
VOLT TYPHOON has been the subject of excellent analysis from Microsoft (here) and the focus of several alerts from the US, New Zealand, UK, Canadian, and Australian governments, including a recent joint guidance publication in which these allied governments recommend mitigations against the group’s tactics, techniques, and procedures (TTPs). These TTPs are notoriously stealthy, largely due to their focus on living-off-the-land (LOTL) techniques rather than bespoke malware, a trend becoming more commonplace among nation-state threat actors. These LOTL tactics, in which a threat actor uses existing and legitimate processes and tools within a network environment, allow VOLT TYPHOON to blend in with legitimate activity and, when combined with the group’s excellent operational security, make them difficult to detect. This issue can be exacerbated in smaller companies that provide key services to critical infrastructure sectors but may not have the resources dedicated to refine detection capabilities, as noted in the government report.
The recent joint guidance provides a comprehensive list of recommendations for detecting potential VOLT TYPHOON activity and protecting against their attacks. Among these recommendations include a series involving password policies and management. Given the critical nature of the alerts and guidance released by these governments, we wanted to highlight those call outs that intersect with credential management. These include:
- Don’t store credentials on edge appliances or devices.
- Don’t store plaintext credentials on any system.
- This recommendation in particular notes that credentials should be stored securely, such as in a password manager or other privileged account management solution.
- Implement system-wide credential policies that include minimum 15-character password requirements and banning password reuse.
- Disable the storage of clear text passwords in LSASS memory.
- Configure Group Policy setting to prevent web browsers from saving passwords.
- Implement phishing-resistant Multi-Factor Authentication.
- Change default passwords associated with operational technology (OT) whenever possible.
- When this isn’t possible, institute compensating controls.
- Require that passwords for all OT password-protected assets be at least 15 characters, when technically feasible.
