The looming cyber threats to US ports, and critical infrastructure by 'Volt Typhoon'

ID 145690361 © Solarseven | Dreamstime.com

It does not appear that supply chain managers are prioritising cybersecurity threats as they seek to de-risk their supply chains from uncertainty about US trade policy. While ransomware still commands the most attention among cyber-attacks affecting logistics operations, utilities and infrastructure, because of their continued prevalence and costliness to remedy, there are looming threats that might not command headlines, but show how the cyber game has changed. These issues are affecting the cost of international trade globally.

One such threat has been quietly infiltrating Western and allied critical infrastructure and associated global supply chains but has not received much coverage in the absence of massive disruptions. However, this should not be mistaken for a lack of capability. This state-sponsored threat is extremely stealthy, not focused on financial gain but long-term access instead. For example, “Volt Typhoon”, because of the possibility of future leverage has been characterized by former US National Security Advisor Mike Waltz in a recent interview as “cyber time bombs on our infrastructure, our water systems, our grids, even our ports” and former FBI Director Wray back in 2024 sounded the alarm bells on what might be “the defining threat of our generation”. Here we describe why operators of critical infrastructure but also trusted suppliers, service suppliers/vendors, and customers need to pay great attention and prepare for when lurking threats such as Volt Typhoon pull the trigger.

The nature of the “Volt” threat

The attacker group has been codenamed “Volt Typhoon” (VT) according to Microsoft’s taxonomy for naming cyber threat actors and seems to have been active since at least 2021. A first public disclosure in May 2023 by US officials and the so-called “Five Eyes” allied partners (the Five Eyes is an intelligence partnership between the US, UK, Canada, Australia and New Zealand) revealed that the group has been found to target a variety of entities, mostly in utilities, transportation, critical infrastructure including ports, defense-related entities, and government networks. While victim organizations are primarily located in the US, many organizations are (in)directly affected in countries such as Australia, Canada, Singapore, New Zealand and the UK due to shared telecommunications infrastructure, shared vendors or cloud services as well as integrated defense and logistics systems.

Digital networks (IT) control the processes in industrial operating systems (OT). And in this case it is well documented that a multitude of such IT environments and devices have already been successfully infiltrated – so far without any real world impact in the sense of major disruptions or outages but the expectation is that a lateral move into the OT sections of supply chain can and will be made in the event of heightened geopolitical tensions or a military conflict.

Impact Scenarios and the supply chain

This “pre-positioning” is suspected to deliver an advantage in an actual conflict such as a take-over scenario with Taiwan. This might look like launching disruptive attacks against US/allied infrastructure to cause chaos, coerce behavior or impede the ability to move material and capabilities during a crisis due to military reliance on commercial ports. In fact, among the early detected victims were a Gulf Coast port, and entities on Guam, which hosts vital US military bases. According to US cybersecurity agency CISA, however, not just big entities but a whole swath of small and medium-sized companies within the respective supply chains appear to have been targeted as well. This reflects the global and distributed ecosystem that is being exploited.

What can operators do?

In the absence of tangible damage, many affected entities face an uncertain landscape in their risk mitigating. But waiting for disruption to justify action might mean you are already behind. With Volt Typhoon we are dealing with a very stealthy campaign aimed at long-term persistence within critical supply chains that should be viewed through the lens of future preparation for conflict. At this stage this should be an urgent wakeup call to bolster resilience and incident response in the event of actual conflict. If the Maersk cyber incident of 2017 – while very different in nature – taught us anything it is that companies and organizations can fall victim to state-sponsored attacks even if they had not been the direct target. As a foundation, regular vulnerability assessments, enhanced monitoring and a solid incident response plan that is specifically tailored to both IT and OT environments should be in place and collaboration with sector risk management agencies sought out.

Widely viewed as one of the foremost experts on ports, rail, and infrastructure in the US, Walter Kemmsies currently advises several major port authorities and is routinely asked to work on complex issues with various investment banks, private equity firms, and public regulatory agencies, Dr. Kemmseis was Chief Port Strategist for JLL, Chief Economist for Moffatt & Nichol, and other previous roles include Head of European Strategy at JP Morgan in London, and Head of Global Industry Strategy at UBS in Zurich.

 Maschenka Kemmsies is an analyst who specializes on geopolitics, emerging technologies and cyber security. Previous roles include Senior Threat Communications Manager for security vendor Trend Micro and Deputy Head of Political Affairs at the Embassy of Austria to the United States.