OT - Volt Typhoon AA24-038A
Engine-driven compliance rail for OT/ICS living-off-the-land intrusion -> critical-infrastructure pre-positioning (Volt Typhoon) on the Energy & Utilities protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.
Initial access via vulnerable public-facing networking appliances. AA24-038A: "To obtain initial access [TA0001], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [T1190]." The advisory also documents repurposing end-of-life Cisco/NETGEAR SOHO routers as KV-Botnet C2 proxies. The externally reachable device is exploited without a gating PEP — an Enforcement Failure at the network edge.
- partial§226.4 Substantial cyber incident
- partial3.I - Implement Logical/Physical Network Segmentation
- partialCIP-003-9 R2 — Low-impact cyber security plan
- partialPR.AA-01 — Identity Management, Authentication, and Access Control
- partialPR.AA-02 — Identity Management, Authentication, and Access Control
- partialPR.AA-03 — Identity Management, Authentication, and Access Control
- 01Initial AccessfirewallsInitial access through a vulnerable public-facing edge device (the network appliances and small-office routers Volt Typhoon is documented exploiting and repurposing). Exploited without a gating PEP — an Enforcement Failure at the network edge.
- 02Credential Accesseng-workstationLSASS process dumped via the native comsvcs.dll; Mimikatz harvests credentials on a foothold engineering workstation. The actor then operates as valid accounts (T1078) — the PE accepts credentials that no longer identify the legitimate principal.
- 03Lateral MovementserversLiving-off-the-land tradecraft (legitimate Windows binaries: wmic, ntdsutil, netsh) blends with normal administration; the actor moves east-west across the IT estate with minimal new tooling — designed to evade OT-IDS signature visibility.
- 04Persistence (multi-year)industrial-fwLong-dwell persistence in the IT-OT DMZ. AA24-038A documents multi-year valid-account residency where the trust algorithm never re-decisions on session freshness — the adversary is the new "normal."
- 05OT Pre-positioningplc-controllersPre-positioning for disruptive impact on operational-technology controls. AA24-038A is explicit: the goal is the OPTION to disrupt critical infrastructure on demand, not an immediate action — which makes the eviction window the defender’s primary loss.