BruCON 0x10

For over two years, US and “Five Eye” entities have focused significant attention on the threat posed by an activity cluster initially identified by Microsoft as “Volt Typhoon.” Linked to People’s Republic of China (PRC) cyber operations, Volt Typhoon is notable for effective, persistent use of living off the land behaviors via proxied command and control (C2) infrastructure to target civilian and dual-use critical infrastructure entities. The entity has been described as the most concerning threat to US infrastructure and interests by multiple commercial and government entities – yet for all this attention specifics on the group and their operations remain maddeningly scarce in public, available reporting.

In this discussion, we will examine the nature of high-profile, yet vaguely described, threats such as Volt Typhoon, and what lessons we can learn from such activities. Particularly, we will look at natural tensions in information disclosure that may uniquely align with insights into the Volt Typhoon threat, where counter-cyber operations may play as large a role (and potentially greater) in tracking this adversary as traditional intrusion analysis. Through this discussion we will look into how information sensitivity for cyber threat intelligence reporting may clash directly with the actionability of such information, and how this both plays into direct defense and more broadly in public messaging around concerning (but objectively vague) threats.

To conclude, we will explore the natural tension between disclosure and action for intelligence operations, and the potential harm that may result when secretive items are broadcast widely in public discourse. Using Volt Typhoon as a high-profile and relevant example, attendees will learn to better advocate for and hold reporting entities to account for threat reporting, while also highlighting the need to execute care and discretion in public messaging on the part of commercial and government authorities.