Resources
Advanced Persistent Threats and Network Resilience
Advanced Persistent Threats (APTs), like Volt Typhoon and Salt Typhoon, are some of the most sophisticated threats around today. These adversaries want to disrupt operations, exfiltrate sensitive data, and harm important services – posing a significant risk to businesses and critical national infrastructure (CNI).
In late 2024, it became clear that the intensity of state sponsored attacks on CNI networks had reached unprecedented levels, with potentially extreme consequences. They are increasingly targeting essential services by combining sophisticated tactics, techniques, and procedures (TTPs) to exploit vulnerable network infrastructure and proliferate attacks.
For many organizations, especially those in finance, healthcare, critical infrastructure, and government sectors, it's a case of when, not if, they will be attacked. For these organizations, developing operational resilience for their networks is no longer optional.
What are APTs?
Advanced Persistent Threats (APTs) are prolonged, stealthy cyberattacks which are designed to infiltrate networks, remain undetected, and extract sensitive data or disrupt operations. Examples of APTs that have been in the news recently include Volt and Salt Typhoon which have been discovered, attacking US CNI. Unlike traditional malware or ransomware campaigns, these APTs are highly targeted, well-funded, and continuously evolving.
What is Volt Typhoon?
Volt Typhoon is a cyber threat actor believed to be sponsored by the Chinese state. Unlike traditional cyber espionage groups, Volt Typhoon focuses on gaining a foothold within critical infrastructure networks, including those of the communications, energy, transportation, and water sectors. These stealthy cyber-attacks led to Volt Typhoon maintaining a long-term presence on a victim’s network without detection. Their attacks on US CNI have been called the cyberspace equivalent of “placing bombs on bridges, water treatment facilities and power plants” by Congressman Mike Gallagher, Chair of the House Select Committee on the Chinese Communist Party.
What is Salt Typhoon?
Salt Typhoon is a state-sponsored threat actor with a focus on persistent access and long-term data exfiltration from the networks of privately run telecommunications organizations. The attackers target phone records and data of several prominent individuals, including high-profile politicians. According to Anne Neuberger, White House deputy national security adviser for cyber and emerging technologies, nine US telecoms companies have been targeted and breached by the Salt Typhoon group so far.
The widespread compromise of US CNI, as well as the persistent challenges in purging the Volt and Salt Typhoon hackers from affected networks, underscores the challenge that US policymakers and private industry face in securing critical national infrastructure from state-sponsored APTs.
What are Living off the Land (LOTL) Tactics?
One of Volt Typhoon's primary methods for maintaining a stealthy presence in victim networks is using Living off the Land (LOTL) tactics, allowing them to maintain a long-term presence on a victim’s network without detection.
LOTL uses built-in network administration tools that enable the attacker to evade detection by blending in with normal system and network activities, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity that is captured in default logging configurations. So, the challenge for the network defender is that many of the behavioral indicators of LOTL can also be legitimate system administration commands that appear in normative network activity.
Why are LOTL Tactics Effective?
Evasion:
LOTL techniques allow attackers to avoid detection by Endpoint Detection and Response (EDR) products.
Stealth:
Attackers hide in normal system and network activities, limiting the amount of activity captured in standard logging configurations.
Persistence:
Adversaries can persist on a victim's network for a long time without being discovered – one CNI organization was suspected to be compromised for over five years before discovery.
Exploitation:
When an attacker has gained access to a network, the APT can then move laterally within the network.
The Importance of Operational Resilience
Operational resilience refers to an organization’s ability to anticipate, withstand, respond to, and recover from cyber threats without disrupting core business functions. A resilience-first approach ensures that even if an APT breaches defenses, the organization can continue operations while mitigating damage.
Key Strategies for Building Operational Resilience
Operational cyber resilience requires businesses to manage the risks to their organizations from the latest cyber attacks. This requires organizations to understand what systems are critical to them in order to maintain availability and continuity. There are four main areas of focus to achieve this:
- Business Continuity
- Risk Management
- Cyber security
- Disaster Recovery
Defending against APTs like Volt Typhoon and Salt Typhoon requires more than just traditional security tools—it demands a proactive, resilience-driven approach. Organizations that prioritize threat intelligence, zero trust security, network segmentation, and rigorous incident response planning will be better equipped to withstand and recover from these advanced cyber threats.
By implementing these strategies, businesses can ensure they remain operationally resilient, minimizing downtime and protecting critical assets from long-term compromise.
Nipper Resilience
Find out how Nipper Resilience can help you gain real-time visibility and proactive analysis of every network change, to get ahead of threats – like Volt and Salt Typhoon – before they cause operational disruption.