It’s hurricane season, and everyone knows what to expect and do. Install storm shutters, have extra food and supplies, backup generators, have flood insurance, and keep paying attention to upcoming forecasts. All of these preparations help to minimize the impact and get you back up and running as quickly as possible. Without those preparations you could be barely surviving and have lost a lot of what you have, if not be completely destroyed by the storm you knew would come one day. Of course you’d be prepared if you live in “Hurricane Alley”.
Are you prepared for Typhoons? For operators of enterprise IoT systems and cyber-physical systems the cybersecurity storm threat has never been greater, and its coming in the form of Typhoons. Just like hurricanes being named for easier tracking (Hurricane Helene being the hurricane threatening Florida as I write), so are these cybersecurity typhoon groups. Volt Typhoon hit last year, Flax Typhoon hit a few weeks ago, and now Salt Typhoon is starting to hit the shores of many organizations. Don’t let cute names fool you: these are serious enterprise threat actor organizations, each is a distinct and separate malicious hacking group, and there are likely more of them coming.
Let’s start with advanced persistent threat (APT) group called “Volt Typhoon”, which was identified by Microsoft in May 2023. Volt Typhoon is a Chinese hacker group backed by the state, active for more than a year before being detected. They exploit vulnerabilities like weak passwords, factory default logins, and outdated devices – very common vulnerabilities in IoT systems and CPS (Cyber-Physical Systems). They leverage their access into vulnerable devices (think routers and security cameras) to establish a botnet army from which they can launch future attacks incognito. Volt Typhoon has targeted a wide range of critical infrastructure and systems – communications, water, energy, and transportation (to name a few). Other APT groups using similar techniques were recently discovered – specifically Flax Typhoon and Salt Typhoon. Given their success, more Typhoons should be expected.
Compromising and launching attacks from enterprise IoT, OT, and ICS systems is very effective at evading cyber defenses. Because the attacks appear to originate from IP addresses with good reputations, they are subjected to less scrutiny from network security defenses, making the bots an ideal delivery proxy. As reported in Ars Technica, Russia-state hackers have also been caught assembling large IoT botnets for the same purposes. No wonder that this technique is used across multiple APT groups, including Flax Typhoon and Salt Typhoon.
At its peak in June 2023, Raptor Train, as the botnet used by Flax Typhoon is named, consisted of more than 60,000 commandeered devices (over 50% of which are in North America), according to researchers from Black Lotus Labs. Just this month (September 2024) the FBI has warned that cyber actors linked to China have compromised over 260,000 internet-connected devices, mostly routers, to create a massive botnet used by the Salt Typhoon APT group. Analysis of the bots used shows that threat actors have adapted them to more than 50 types of operating systems (making them placeable on IoT devices) – compare that to many IT security solutions that only work on 2 (Windows and Linux).
If there is good news for enterprises, it’s that there are effective and automated ways to prevent your devices from being compromised and exploited. First is to ensure you have an IoT-aware discovery solution that can identify all devices, the applications managing them, and the networks they communicate on. With this information vulnerability remediation can take place, including timely applying patches and updates at scale, regularly rotating device passwords with strong ones, and using certificates to authenticate devices. Viakoo performs all these actions through automation, ensuing devices are quickly remediated. Other best practices also exist, such as disabling unused services and ports, implementing network segmentation, monitoring for high network traffic volume, rebooting devices periodically, and replacing end-of-life equipment. But most important is being able to apply the remediations mentioned as quickly as possible to prevent APT groups like the Typhoons from gaining a foothold in your network.
Enterprise threats are growing exponentially with the actions of multiple APT groups leveraging IoT infrastructure to gain a foothold inside of enterprises and launch attacks. This growth and the urgency related to it should help to push organizations to dig deeper on their IoT security and how to improve it. Viakoo has worked with organizations of all types to rapidly shrink their attack surface and do it cost effectively – and we can help you. Want to discuss with Viakoo experts your specific situation? Sign up here for a 30 minute Zoom call on IoT security and being ready for when the next Typhoon hits: Request a Viakoo Demo – Viakoo, Inc
