Feb 08 2024

China had “persistent” access to U.S. critical infrastructure

Category: Access Control,Cyber Espionagedisc7 @ 7:59 am

China-backed hackers have had access to some major U.S. critical infrastructure for “at least five years,” according to an intelligence advisory released Wednesday.

Why it matters: The hacking campaign laid out in the report marks a sharp escalation in China’s willingness to seize U.S. infrastructure — going beyond the typical effort to steal state secrets.

  • The advisory provides the fullest picture to-date of how a key China hacking group has gained and maintained access to some U.S. critical infrastructure.

Details: The U.S. Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation released an advisory Wednesday to warn critical infrastructure operators about China’s ongoing hacking interests.

  • According to the advisory, China-backed hacking group Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country.
  • The group has relied heavily on stolen administrator credentials to maintain access to the systems — and in some cases it has maintained access for “at least five years,” per the advisory.
  • Volt Typhoon has been seen controlling some victims’ surveillance camera systems, and its access could have allowed the group to disrupt critical energy and water controls.

Of note: Volt Typhoon uses so-called “living off the land” techniques that limit any trace of their activities on a network — making the actors more difficult to detect.

  • CNN first reported details from the advisory earlier today.

Between the lines: U.S. officials are increasingly worried China will launch destructive cyberattacks either during or in the lead up to a possible Chinese invasion of Taiwan.

  • Authorities in Canada, Australia and New Zealand contributed to today’s advisory, citing concerns that China is also targeting organizations in their countries.

Catch up quick: Intelligence officials have been ringing alarm bells about Volt Typhoon for nearly a year.

  • Last May, Microsoft and the U.S. government warned that Volt Typhoon had been positioning itself to launch attacks on infrastructure across the country, including water utilities and ports.
  • This month, officials said they had successfully thwarted Volt Typhoon’s access to these networks — but warned that the group had shown a willingness to keep looking for new ways in.

The big picture: U.S. critical infrastructure is riddled with security problems, including poor password management and a lack of procedures to install security updates.

  • Some critical infrastructure, including water systems, lack the funds to hire security personnel or upgrade equipment.
  • Government attempts to require basic cybersecurity audits have also hit legal hurdles.

Be smart: U.S. cyber defenders are urging infrastructure operators to apply available software updates to all internet-facing systems, implement multi-factor authentication and turn on activity logs to track for any suspicious user behavior.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Advanced Persistent Threats