China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”
On Sunday, FBI Director Christopher Wray said Beijing’s efforts to covertly plant offensive malware inside U.S. critical infrastructure networks [1.] is now at “a scale greater than we’d seen before,” an issue he has deemed a defining national security threat. He said that China backed Volt Typhoon was pre-positioning malware that could be triggered at any moment to disrupt U.S. critical infrastructure. “It’s the tip of the iceberg…it’s one of many such efforts by the Chinese,” he said on the sidelines of the security conference.
Wray had earlier told conference delegates, that China was increasingly inserting “offensive weapons within our critical infrastructure poised to attack whenever Beijing decides the time is right.” The FBI chief said the U.S. is particularly focused on the threat of pre-positioning, which some European officials have described as the cyber equivalent of pointing a ballistic missile at critical infrastructure. “Those attacks are now being amplified by artificial intelligence tools. The word ‘force multiplier’ is not really enough,” Wray added.
Note 1. The FBI Director declined to elaborate on what other critical infrastructure had been targeted, stressing that the Bureau had “a lot of work under way.”
Image Credits: imaginima / Getty Images
Machine learning translation has helped Chinese security operatives to more plausibly recruit assets, steal secrets and rapidly process more of the information they are collecting, the Wray said. “They already have built economic espionage and theft of personal and corporate data as a kind of a bedrock of their economic strategy and are eagerly pursuing AI advancements to try to accelerate that process,” Wray added.
FBI Director Christopher Wray PHOTO: KEVIN DIETSCH/GETTY IMAGES
……………………………………………………………………………………………………………………………
Western intelligence officials say China’s scale and sophistication of cyberattacks has accelerated over the past decade. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, planting malware inside U.S. computer systems responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a conflict.
In California, Wray met with counterparts from the Five Eyes intelligence community—which encompasses the U.S., Australia, New Zealand, Canada and the U.K.—to share respective strategies for cyber defense. He has also traveled to Malaysia and India to discuss China’s hacking campaign with authorities in both countries.
“I am seeing more from Europe,” he said. “We’re laser focused on this as a real threat and we’re working with a lot of partners to try to identify it, anticipate it and disrupt it.”
The Netherlands’ spy agencies said earlier this month that Chinese hackers had used malware to gain access to a Dutch military network last year. The agency, considered to have one of Europe’s top cyber capabilities, said it made the rare disclosure to show the scale of the threat and reduce the stigma of being targeted so allied governments can better pool knowledge.
A report released this month by agencies including the FBI, the Cybersecurity and Infrastructure Agency and the National Security Agency said Volt Typhoon hackers had maintained access in some U.S. networks for five or more years, and while it targeted only U.S. infrastructure directly, the infiltration was likely to have affected “Five Eyes” allies.
Author’s Note:
……………………………………………………………………………………………………………………………
Volt Typhoon, the China-sponsored hacking group, has been targeting U.S. critical infrastructure, including satellite and emergency management services and electric utilities, according to a new report from the industrial cybersecurity firm Dragos. That report outlines how the notorious hacking group is positioning themselves to have disruptive or destructive impacts on critical infrastructure in the U.S.
Robert M. Lee, founder and CEO of Dragos, warned during a media briefing that Volt Typhoon is not an opportunistic group, but is instead targeting specific sites that assist U.S. adversaries “trying to hurt or cripple U.S. infrastructure. It’s hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the U.S. electric infrastructure,” Lee added.
The report comes shortly after the National Security Agency, FBI, and Cybersecurity and Infrastructure Security Agency, revealed that Volt Typhoon has been in some critical infrastructure networks for at least five years. That alert warned of Volt Typhoon operations that targeted the aviation, railways, mass transit, highway, maritime, pipeline, and water and sewage sectors.
……………………………………………………………………………………………………………………………………………………………………………………………………………………………………
The NSA, CISA and FBI said in a joint advisory report that Volt Typhoon has been burrowing into the networks of aviation, rail, mass transit, highway, maritime, pipeline, water and sewage organizations — none of which were named — in a bid to pre-position themselves for destructive cyberattacks, published on February 7th. The release of the advisory, which was co-signed by cybersecurity agencies in the United Kingdom, Australia, Canada and New Zealand, comes a week after a similar warning from FBI Director Christopher Wray. Speaking during a U.S. House of Representatives committee hearing on cyber threats posed by China, Wray described Volt Typhoon as “the defining threat of our generation” and said the group’s aim is to “disrupt our military’s ability to mobilize” in the early stages of an anticipated conflict over Taiwan, which China claims as its territory.
According to Wednesday’s technical advisory, Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to gain initial access to critical infrastructure across the country. The China-backed hackers typically leveraged stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, they have maintained access for “at least five years.”
This access enabled the state-backed hackers to carry out potential disruptions such as “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures,” the advisory warned. In some cases, Volt Typhoon hackers had the capability to access camera surveillance systems at critical infrastructure facilities — though it’s not clear if they did.
Volt Typhoon also used living-off-the-land techniques, whereby attackers use legitimate tools and features already present in the target system, to maintain long-term, undiscovered persistence. The hackers also conducted “extensive pre-compromise reconnaissance” in a bid to avoid detection. “For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the advisory said.
Earlier this year, the FBI and U.S. Department of Justice announced that they had disrupted the “KV Botnet” run by Volt Typhoon that had compromised hundreds of U.S.-based routers for small businesses and home offices. The FBI said it was able to remove the malware from the hijacked routers and sever their connection to the Chinese state-sponsored hackers.
According to a May 2023 report published by Microsoft, Volt Typhoon has been targeting and breaching U.S. critical infrastructure since at least mid-2021.
……………………………………………………………………………………………………………………………………………………………………………………………………………………………..
References:
Volt Typhoon targeted emergency management services, per report
US disrupts China-backed hacking operation amid warning of threat to American infrastructure
https://www.controlglobal.com/home/blog/11293192/information-technology
FCC Chair Jessica Rosenworce suggested ‘telecom carriers’ raise their network security methods and procedures:
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Rosenworcel. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses.
“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”
Rosenworcel’s cunning plan is to make CSPs submit some kind of annual certification to the FCC, proving their cybersecurity measures are up to scratch. The clear inference from the attack itself and all the subsequent attempts to shut the stable door after the horse has bolted is that those efforts currently fall short of the mark. But, understandably, none of the specific deficiencies have been publicly detailed. Consequently we don’t yet know which boxes would need to be ticked in order to get the FCC clean bill of health.
The press release refers to a recent WSJ report based on an unpublished briefing from US national security adviser Anne Neuberger, in which she detailed the scale of the Salt Typhoon attack. “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” she was quoted as saying.
https://www.telecoms.com/security/as-us-finally-details-chinese-salt-typhoon-attack-fcc-chair-proposes-new-rules-for-telcos
Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign that has affected dozens of countries, a top U.S. security official said Wednesday.
Speaking during a press briefing Wednesday, Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached.
“The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” Neuberger said.
The remarks are the most specific public acknowledgment yet by the U.S. government concerning the vast scope and severity of the hacking campaign, which investigators have traced to a Chinese intelligence agency. The Journal previously identified Verizon, AT&T, T-Mobile and Lumen Technologies among the victims.
Additionally, a “large number of Americans” had their cellphone metadata accessed in the intrusions, a senior administration official said. The official declined to say how many Americans, but said it wasn’t believed that all Americans had cell metadata—such as the time stamps of calls and the phone numbers involved—compromised.
The metadata grabs appeared to be “regional” in focus, and were likely a means to identify phone lines of valuable senior government officials, which the hackers then targeted to steal unencrypted text messages and listen in on some phone calls, the official said.
President-elect Donald Trump, Vice President-elect JD Vance, senior congressional staffers and an array of U.S. security officials were among scores of individuals to have their calls and texts directly targeted, an intelligence-collection coup that likely ensnared their private communications with thousands of Americans, the Journal has reported.
The senior administration official said the global tally of countries victimized was currently believed to be in the “low, couple dozen” but didn’t give a precise figure. The global campaign of hacking activity dates back at least a year or two, the official said.
Investigators are still working to understand the full parameters of the continuing intrusions. Neuberger, on the press briefing, said that it wasn’t believed that classified communications were accessed in the breaches.
“We do not believe any have fully removed the Chinese actors from these networks,” Neuberger said, adding that there remained a risk of ongoing compromises of U.S. calls until the companies fully address “cybersecurity gaps.”
In addition to compromising private unencrypted calls and texts, the hackers were able to access information from systems maintained by the carriers to comply with U.S. surveillance requests, raising further counterintelligence concerns.
Wednesday’s briefing was the second in as many days from Biden administration officials, many of whom have been repeatedly stunned by the extent of the Salt Typhoon hack as investigators unearth more details. The U.S. Senate also received a closed-door briefing Wednesday from senior officials about the hack.
On Tuesday, officials conceded they don’t know when the hackers might be purged from telecommunications infrastructure and urged people to use encrypted apps to protect their phone calls and texts.
“It would be impossible for us to predict a time frame on when we’ll have full evictions,” Jeff Greene, a senior official at the Cybersecurity and Infrastructure Security Agency, said.
https://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca