WASHINGTON – U.S. and Canadian cybersecurity agencies warned on February 7, 2025, that a China-linked hacking group successfully breached numerous systems and pilfered login credentials, proprietary data, and other sensitive data from organizations across both countries. The intrusions, attributed to a threat actor known as Volt Typhoon, represent a significant escalation in state-sponsored cyber espionage targeting critical infrastructure sectors.
The joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Communications Security Establishment (CSE) details how Volt Typhoon has been actively compromising U.S. and Canadian entities as at least May 2023. The group focuses on gaining long-term access to networks to potentially disrupt critical services – including communications, energy, and water systems – should geopolitical tensions escalate. This latest breach underscores the growing threat posed by Chinese government-affiliated hackers and the urgent need for organizations to bolster their defenses against increasingly refined attacks.
According to the agencies, Volt Typhoon employs a range of tactics, techniques, and procedures (TTPs) to evade detection, including living-off-the-land techniques – utilizing existing tools and processes within compromised networks to maintain access. The hackers exploit known vulnerabilities in publicly facing applications and commonly used network devices,often gaining initial access through spear-phishing campaigns and credential stuffing.
The advisory specifically highlights that the stolen login data could be leveraged for further malicious activity, such as unauthorized access to sensitive systems, data exfiltration, and the deployment of ransomware. CISA and CSE recommend that organizations instantly implement multi-factor authentication, regularly patch software vulnerabilities, and enhance network monitoring capabilities to mitigate the risk of compromise. They also urge organizations to review their security posture and report any suspicious activity to their respective national cybersecurity centers.
