attack-path / manufacturing / ot-lotl-critical-infra

OT - Volt Typhoon AA24-038A

Engine-driven compliance rail for OT/ICS living-off-the-land intrusion -> critical-infrastructure pre-positioning (Volt Typhoon) on the Manufacturing protect-surface layout. Step controls cycle through the engine's Trust-Failure chain; each step shows the in-scope provisions the failure implicates and, where a regulatory clock applies, the obligation diamond.

resolved atManufacturing · OT cell (Purdue Model) · Engineer pushes config to an operational asset
step 01TF6observedATT&CK T1190
stage 6

Initial access via vulnerable public-facing networking appliances. AA24-038A: "To obtain initial access [TA0001], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [T1190]." The advisory also documents repurposing end-of-life Cisco/NETGEAR SOHO routers as KV-Botnet C2 proxies. The externally reachable device is exploited without a gating PEP — an Enforcement Failure at the network edge.

mitigating controls
pamapi-gatewaysiem-soarca-pkikms-secrets
in-scope provisions (6)
  • partial3.I - Implement Logical/Physical Network Segmentationcisa-cpgs-v2disc:highpendingEvidence
  • partialPR.AA-01 — Identity Management, Authentication, and Access Controlnist-csf-2-0disc:highpendingEvidence
  • partialPR.AA-02 — Identity Management, Authentication, and Access Controlnist-csf-2-0disc:highpendingEvidence
  • partialPR.AA-03 — Identity Management, Authentication, and Access Controlnist-csf-2-0disc:highpendingEvidence
  • partialPR.AA-04 — Identity Management, Authentication, and Access Controlnist-csf-2-0disc:highpendingEvidence
  • partialPR.AA-05 — Identity Management, Authentication, and Access Controlnist-csf-2-0disc:highpendingEvidence
obligation
no regulatory clock for this step
protect-surface storyline (DAAS cards)
  1. 01
    Initial Access
    firewalls
    Initial access through a vulnerable public-facing edge device (the network appliances and small-office routers Volt Typhoon is documented exploiting and repurposing). Exploited without a gating PEP — an Enforcement Failure at the network edge.
  2. 02
    Credential Access
    eng-workstation
    LSASS process dumped via the native comsvcs.dll; Mimikatz harvests credentials on a foothold engineering workstation. The actor then operates as valid accounts (T1078) — the PE accepts credentials that no longer identify the legitimate principal.
  3. 03
    Lateral Movement
    servers
    Living-off-the-land tradecraft (legitimate Windows binaries: wmic, ntdsutil, netsh) blends with normal administration; the actor moves east-west across the IT estate with minimal new tooling — designed to evade OT-IDS signature visibility.
  4. 04
    Persistence (multi-year)
    industrial-fw
    Long-dwell persistence in the IT-OT DMZ. AA24-038A documents multi-year valid-account residency where the trust algorithm never re-decisions on session freshness — the adversary is the new "normal."
  5. 05
    OT Pre-positioning
    plc-controllers
    Pre-positioning for disruptive impact on operational-technology controls. AA24-038A is explicit: the goal is the OPTION to disrupt critical infrastructure on demand, not an immediate action — which makes the eviction window the defender’s primary loss.