“The cyberthreat posed by the Chinese government is massive.”
That was FBI Director Christopher Wray, speaking at a recent security conference in Munich, warning of new cyberattacks from China. And not just from the outside, which would be bad enough. Wray singled out the Chinese Communist Party hacking group Volt Typhoon, which the U.S. Cybersecurity and Infrastructure Security Agency notes is lurking in critical infrastructure across our country.
Volt Typhoon has already hacked key sectors, including communications, energy, and water. It may have the ability to access heating and air conditioning systems to overheat data servers, to cause blackouts by disrupting control rooms that regulate water and electricity, and to manipulate surveillance cameras at some of these facilities.
Since 2021, Volt Typhoon has been exploiting critical infrastructure vulnerabilities by targeting networks protected by Fortinet’s FortiGuard security devices.
By proxying traffic through outdated and compromised routers, hackers “live off the land” by remaining undetected while monitoring traffic and escalating their access privileges. In fact, Volt Typhoon persisted in some IT environments for over five years while extracting sensitive information from in-memory data employing tools such as Magnet RAM Capture.
The severity of this threat was underscored in December when the Justice Department disrupted a Chinese botnet embedded in older routers, shedding light on the extensive reach of such cyber intrusions.
One study by the consulting company Forrester revealed an even grimmer reality: Nearly 80% of organizations using supervisory control and data acquisition or industrial control systems have reported security breaches in the past two years.
This is not the first instance of Chinese cyberespionage targeting American interests. Since 2006, a China-backed military hacking group termed APT1 orchestrated sophisticated attacks on American military contractors and critical infrastructure corporations.
By 2013, the Pentagon had disclosed that APT1 had pilfered military contractor designs such as the Patriot, THAAD, and Aegis missile systems, as well as aircraft designs, including the F/A-18 Super Hornet, V-22 Osprey, Black Hawk helicopter, and F-35 joint strike fighter.
In 2014, the FBI indicted five APT1 military hackers on charges of stealing information from critical infrastructure companies such as U.S. Steel, SolarWorld, and Westinghouse Electric over the prior decade.
Moreover, the United States has also faced threats from Russia’s hacking group Cozy Bear, termed APT29. Demonstrating its ability to bypass American cybersecurity defenses, APT29 was responsible for the 2016 Democratic National Committee breach and the 2021 SolarWinds Orion hack. More recently, APT29 infiltrated Hewlett Packard Enterprise emails, according to 2023 filings from the Securities and Exchange Commission.
The implications of these cyberattacks extend far beyond military and political repercussions. Moody’s designated critical infrastructure assets as “credit negative” last June due in part to the systemic risks posed by cyber vulnerabilities.
Moreover, as evidenced by Russia’s attacks on Ukraine’s power grid, the specter of cascading cyberattacks targeting geographically dispersed industrial operations looms large, with potentially catastrophic consequences for both Europe and the U.S.
With its 3,300 utilities and sprawling web of 5.5 million miles of distribution lines, the United States is particularly vulnerable to cyber incursions. CISA’s energy sector plan, published in 2015, is woefully inadequate in detail and does not accurately portray our adversaries’ current capabilities.
One particular risk, GPS spoofing, poses a significant threat of desynchronizing the power grid’s distribution systems leading to imbalanced voltages and sudden blackouts.
To mitigate evolving threats, initiatives such as CISA’s Cybersecurity Risk Information Sharing Program provide a baseline of normal network traffic. This baseline would check against sudden spikes in activity that a foreign entity would use to begin a cyberattack or exfiltrate information.
The Department of Homeland Security, however, has concluded that the voluntary program has limited capabilities as it does not provide cyber incident data in real time.
CISA’s incident playbook and free Cyber Security Evaluation Tool offer valuable resources for companies to reduce exposure to industrial control systems. Last, CISA maintains an updated list of advisories on spyware to help cybersecurity IT professionals react to new cyber-exploits.
There are dire implications for Russia and China making a strategic pivot from theft of military and scientific intellectual property to exploiting key infrastructure sectors and pre-positioning hidden cyberweapons.
It’s imperative for the U.S. to implement robust measures to defend against the rising threat of cyberweapons and update the almost decade-old energy sector plan.
Originally published by The Washington Times
Have an opinion about this article? To sound off, please email [email protected] and we’ll consider publishing your edited remarks in our regular “We Hear You” feature. Remember to include the URL or headline of the article plus your name and town and/or state.