Urgent Threat Information- Coast Guard Cybersecurity

By Tessa Andres | May 25, 2023

Dear FSOs and others,

Immediate Concern from Advanced Persistent Threat (APT):

An APT group known as Volt Typhoon is known to be associated with the People’s Republic of China. There has been some recently discovered activity that indicates networks across all critical infrastructure could be potentially affected. This includes all industries associated with maritime transportation and energy/oil production.

I am attaching the Joint Cybersecurity Advisory as a .pdf file as well as an associated link from Microsoft. Both sources include unclassified details of how this Volt Typhoon operates in a “Living off the Land” model as well as specific INDICATORS OF COMPROMISE (IOCs). These IOCs include commands that the APT uses to move through networks; file paths that may have been accessed; file names that may have altered data or malware; and hash files. All of this information can be found in log data. Please read (or have your cyber folks read) the entire document for specifics.

I urge you to immediately share this information with your cybersecurity teams if you have them. I also ask that you all make any reports of findings to the NRC so that our various agencies can provide services as needed.

The Joint Cybersecurity Advisory titles “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection” is labelled as TLP:CLEAR and may be shared or distributed without restriction.

Microsoft information: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog

Please reach out to me with any questions. I have notified the Command Center to be aware of the increased possibility of cyber reporting this weekend and I will make myself available to support you in case you do need to make a report of findings.

Holiday Ransomware Alerts:

We have three major federal holiday weekends coming up over the next six weeks. Holiday weekends are a very popular time for the “bad guys” to conduct their business. I want all of us to have an enjoyable time over Memorial Day, Juneteenth, and the 4th of July, and I want any of us to not have a headache afterwards.

Suggested actions: (Especially helpful to entities without continuous monitoring)

  1. Create an offline backup of data prior to the holidays.
  2. Continue to be aware of phishing tactics and do not click links or open files.
  3. Review network logs often for abnormal activity

We are holding our next AMSC Cyber Subcommittee meeting on June 5 at 10am CST. All of you and/or your cybersecurity representatives are welcome to attend. The meeting agenda includes a preview of the AMSC Cyber Incident Response Plan (still in draft form) and an opportunity to hear from a Cyber Protection Team member who can explain the missions offered by the Coast Guard. Here is a link to the meeting: JUNE 5 10:00am CST

Thank you for your support!

Tyson B. Sigette
USCG Sector Upper Mississippi
Marine Transportation System Specialist (CYBER)
314-269-2567

Posted in Navigation Notice: Great Lakes River Basin, Navigation Notice: Upper Mississippi River, Navigation Notices: Arkansas, White, Ouachita, and Red Rivers, Navigation Notices: Eastern U.S. Rivers, Navigation Notices: Gulf and Intracoastal Waterways, Navigation Notices: Illinois River, Navigation Notices: Lower Mississippi River, Navigation Notices: Missouri River, Navigation Notices: Multistate/International, Navigation Notices: Ohio River, Navigation Notices: Pacific Rivers, Navigation Notices: Southeast Rivers