• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Security Executives

    The rising tide of state-sponsored cyber warfare and what you can do about it

    Feb. 5, 2025
    From Volt Typhoon to Flax Typhoon, the goal is to destabilize critical infrastructure, disrupt economies, and undermine societal stability.
    Credit: da-kuk
    What makes these campaigns particularly insidious is their stealth. These threat actors use sophisticated, often custom-built tools to penetrate networks and remain undetected for long periods.
    What makes these campaigns particularly insidious is their stealth. These threat actors use sophisticated, often custom-built tools to penetrate networks and remain undetected for long periods.

    Volt. Flax. Salt. Many typhoons have emerged in the last year and aren’t strictly related to the weather. But, like their meteorological namesakes, they do cause catastrophic damage. These typhoons are high-profile state-sponsored cyberattacks. Recent incidents include exploiting a zero-day vulnerability in Versa Director – a software product used by many Internet Service Providers (ISPs) – to directly attack Singapore Telecommunications, representing part of ongoing cyberattacks against global ISPs. And these attacks are pushing the boundaries of traditional cybersecurity challenges.

    Volt, Flax and the latest Salt Typhoon signal a critical shift in cyber warfare tactics. They are not focused on digital chaos or industrial espionage but on destabilizing critical infrastructure, disrupting economies, and undermining the societal stability of their perceived nation-state adversaries. The rise in state-sponsored cyber aggression means organizations must fortify their defenses, particularly within critical infrastructure sectors, to withstand and recover from such potential attacks.

    What are the implications of these security breaches and how can you fortify your business to strengthen its defenses?

    Understanding the New Cyber Warfare Tactics

    Unlike cybercriminal groups focused on stealing data or demanding ransoms, these state-backed actors are intent on destabilizing entire nations. Their primary targets are critical infrastructure systems that underpin essential services like energy, transportation, water, and healthcare. By infiltrating these systems, attackers aim to weaken national resilience and disrupt daily life on a massive scale.

    What makes these campaigns particularly insidious is their stealth. These threat actors use sophisticated, often custom-built tools to penetrate networks and remain undetected for long periods. Their goal is to establish persistent access, lying dormant until a strategic moment when disruption could inflict the most damage. As a result, defending against state-sponsored cyber warfare requires an approach that goes beyond traditional cybersecurity methods.

    Essential Defensive Strategies Against State-Sponsored Attacks

    To protect against advanced persistent threats (APTs) like Volt and Flax Typhoon, organizations must adopt cyber defense strategies prioritizing operational resilience and minimizing the attack surface available to these APTs. Below are several critical focus areas to help your organization enhance its resilience against these evolving threats.

    1. Implement Robust Network Segmentation. One of the primary defensive strategies for mitigating cyber threats is network segmentation at the macro level. By dividing an organization's network into isolated segments, essentially subnets, you can limit attackers from moving freely across systems and reduce the damage if an initial breach is successful. This approach is particularly effective in critical infrastructure, where a single point of vulnerability can have widespread repercussions.

    Network segmentation is not only best practice but is increasingly a regulatory requirement. Regulations like the Digital Operational Resilience Act (DORA) in Europe and the Network and Information Systems Directive (NIS 2) mandate segmentation as a risk mitigation measure. Compliance with these standards ensures that your organization follows industry best practices while minimizing potential exposure to threats.

    To implement effective network segmentation, identify critical systems essential to your operations and segment them from other network parts. Second, access to each segment must be limited, ensuring that only authorized personnel can access critical segments and assets. Finally, continuously assess your segments to identify any violations of your segmentation policies that might indicate an attempt at lateral movement.

    Network segmentation is not only best practice but is increasingly a regulatory requirement. Regulations like the Digital Operational Resilience Act (DORA) in Europe and the Network and Information Systems Directive (NIS 2) mandate segmentation as a risk mitigation measure.

    2. Prioritize Proactive Cybersecurity Monitoring. Traditional cybersecurity approaches often focus on reactive measures, such as responding to detected threats. However, with the rise of stealthy, state-sponsored attacks, organizations must adopt proactive monitoring strategies to identify risks and detect potential threats before they can cause damage. Proactive monitoring involves continuous assessment of network configurations to detect changes—whether planned or unauthorized—and then assessing the configurations to identify exploitable misconfigurations, vulnerabilities, or segmentation violations that expose your network or may indicate a hidden threat.

    Automated monitoring tools that detect unauthorized changes in real-time are essential. These tools can identify suspicious activities early, allowing incident response teams to act before an attacker establishes a stronghold. Monitoring privileged user activities is also crucial, as these accounts are prime targets for attackers seeking high-level access to systems.

    To bolster your proactive monitoring capabilities, use tools that offer continuous monitoring and alert you of unauthorized changes. Track user behavior to detect abnormal activities, especially among privileged accounts and ensure you have a response plan that enables quick action in the event of detected anomalies.

    3. Accurate Configuration Management. As part of its recent guidance on how to defend against Salt Typhoon, and which is best practice for hardening against all APT attacks, the US Cybersecurity and Infrastructure Security Agency (CISA) stressed the importance of closely scrutinizing and investigating any configuration modifications or alterations to network devices.

    Key to this is maintaining a central configuration management database (CMDB) that accurately reflects the live running configurations of all devices. This enables network defenders to track configuration changes and supports disaster recovery, where teams need to revert a device quickly to a desired configuration due to loss or an outage.

    An additional benefit of an accurate CMDB is that it enables teams to create a digital clone of all their network configurations. Upon this, they can test proposed configuration changes ‘offline’ to identify any unintended operational and security issues before pushing them to live devices in the network. This equally applies to performing threat emulation activities.

    4. Leverage Advanced Threat Detection for Dormant Threats. One of the most challenging aspects of defending against state-sponsored threats is detecting dormant malware that remains inactive for long periods. Advanced threat actors employ techniques to embed malicious code deep within systems, allowing them to lie in wait for an opportune moment to activate. As these tactics become more prevalent, organizations must adopt sophisticated threat detection tools to uncover threats without relying on visible signs of malicious activity. Detection tools that analyze network behavior for subtle anomalies are essential for identifying dormant threats. These tools can detect behaviors that might otherwise go unnoticed. Additionally, integrating threat intelligence feeds with your detection systems can provide valuable insights into emerging tactics used by state-sponsored actors.

    5. Ensure Compliance with Security Regulations. Finally, as regulatory bodies emphasize the need for robust cybersecurity practices, compliance with regulations like DORA and NIS 2 is no longer optional. These regulations mandate specific security measures, including network segmentation, continuous monitoring, and configuration management, particularly for critical infrastructure providers. Failure to comply can result in hefty fines and damage to your organization’s reputation. Beyond regulatory penalties, adhering to these standards demonstrates a commitment to security best practices. Compliance ensures your organization implements the necessary measures to defend against sophisticated attacks, strengthening stakeholder trust. But don’t forget that compliance is only good when you stay compliant. So, performing routine audits to assess that you’re staying on top of cybersecurity standards is essential.

    The cyber breaching typhoons have set a new precedent in the threat landscape. As state-sponsored actors continue to target critical infrastructure, organizations must adapt by adopting proactive, resilient, and compliance-led approaches to cybersecurity. Network segmentation, proactive monitoring, configuration management, advanced threat detection, and regulatory compliance offer a blueprint for defending against these highly sophisticated threats. By taking these steps, organizations can build operational resilience and reduce their exposure to state-sponsored attacks, ensuring critical functions continue – even in disruption. In an era where national infrastructure, and therefore civil stability, is at stake, building robust cybersecurity defenses is no longer just an option – it’s an imperative.

    About the Author

    Matt Malarkey | Titania's VP of Strategic Alliances

    Matt Malarkey is Titania's VP of Strategic Alliances. He identifies strategic opportunities and manages relationships with key partners, particularly within regulated industries and the U.S. government. Before joining Titania, he spent six years at the British embassy in Washington, D.C., where he acted as a liaison between the UK government and key stakeholders in the U.S. defense community. Malarkey has also advised U.S. policymakers on national security issues in Russia and the former Soviet Union.