New cybersecurity guidance targets espionage threats

The CISA, NSA, and FBI along with international partners, released guidance in response to recent cyber espionage by PRC-affiliated threat actors. 

What happened

In December 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), alongside international partners issued guidance addressing a cyber espionage campaign. The campaign, linked to threat actors affiliated with the People’s Republic of China (PRC), targeted global telecommunications networks and other necessary infrastructure organizations. 

These hackers, identified as “Volt Typhoon”, exploited existing vulnerabilities to compromise devices, using techniques that have been seen before. To mitigate the incident, organizations used path management and secured their network environment. The American Hospital Association discussed the guidance in a news headline providing commentary on the need for hospitals to maintain a high cybersecurity standard. 

In the know: Volt Typhoon 

Volt Typhoon, a cyber threat group affiliated with the PRC, has been identified as targeting U.S. infrastructure with the intent of prepositioning itself for potential disruption during heightened geopolitical tensions. 

Discovered in early 2024, Volt operations involve exploiting existing vulnerabilities in network devices to infiltrate systems while avoiding detection. Experts have warned that Volt’s activity demonstrated a strategic effort to compromise essential services. 

Going deeper 

The summary of the guidance includes: 

• Regularly update and patch network devices and services to reduce exploitation risks. 
• Monitor network traffic, user activity, and data flow to detect and respond to anomalies. 
• Enforce configuration management, disable unused features, and monitor changes. 
• Use secure, centralized logging systems and analyze logs for suspicious activity. 
• Encrypt logging and management traffic using protocols like IPsec or TLS. 
• Define and monitor expected network behavior to identify abnormalities. 
• Use out-of-band management networks physically separate from operational networks. 
• Maintain continuity plans to sustain operations during extended communication outages. 

What was said 

According to the AHA deputy national advisor for cybersecurity and risk, Scott Gee, “The AHA has previously flagged alerts from the government on the threat posed by Chinese threat actors, specifically ‘Volt Typhoon…The field is reminded that these best practices are the basis for the voluntary Cybersecurity Performance Goals. For hospitals, the biggest takeaway from this guidance is the understanding of potential threats to the telecommunications sector and the need to have plans in place to maintain business and clinical continuity, for at least 30 days, if faced with an extended loss of communication and internet technology.”

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is patch management? 

The process of identifying and applying updates to software is known as patching software. Regular patches help prevent cyberattacks by addressing known weaknesses before threat actors can exploit them.

How does cyber security risk management benefit operational continuity? 

Cybersecurity risk management identifies, assesses, and mitigates potential threats to an organization's systems, reducing cybersecurity threats that could disrupt access to data and therefore prevent efficient service delivery. 

What are cybersecurity benchmarks for healthcare organizations?

The benchmark areas for healthcare organizations include:

• Risk assessments
• Access controls 
• Encryption (for transmission and storage) 
• Incident response plans
• Employee training