US warns of “permanently altered” cyberthreat landscape

Recently exposed activity by the Chinese-backed hacking group Volt Typhoon has prompted US officials to issue warnings that the cyberthreat landscape has been permanently altered. In particular, the activity signals a fundamental shift in the goals and techniques of state-sponsored cyber operations.

A novel form of cyberthreat

For many years, the primary goals of state-sponsored hacking activities were most often limited to strategic and industrial espionage. That is, whether the threat actors were official government entities or independent gangs sponsored by national governments, their efforts were primarily directed at infiltrating systems with the goal of stealing valuable data. 

In some cases, these were government systems housing strategic planning and other secret data, and in others, the goal was to find and exfiltrate corporate trade secrets in order to gain competitive economic advantages. Only very rarely, such as the 2014 breach of Sony Pictures, allegedly carried out by North Korean threat actors, was the primary goal apparently direct sabotage; and even then, it was not directed at any form of critical infrastructure. 

Cyber warfare has also been a common use of technology in conflict, such as the 2017 Russian attack on Ukrainian targets (WannaCry, NotPetya). But in these cases, the goal has been primarily tactical: an immediate disruption of an enemy’s war-fighting capabilities. 

But as my colleague Christine Barry explained in a recent article, Volt Typhoon’s activity is fundamentally different. As detailed in a February 2024 cybersecurity advisory issued by the US Cybersecurity & Infrastructure Security Agency (CISA), this activity has involved penetrating and maintaining access to critical infrastructure systems that have no espionage value—but which, in the case of a heightened conflict, could have tremendous strategic value.

Pre-positioning assets

The aim of this activity is not hard to understand. In the event of heightened tension or even a crisis leading to armed conflict with the United States, the People’s Republic of China intends to have capabilities already in place to disrupt the US’s capabilities by sabotaging critical infrastructure and industrial capacities, sowing chaos and panic, and generally messing things up. There is no doubt that such activities could have seriously dangerous consequences for communities and individuals across the country.

“It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis,” said Brandon Wales, executive director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). “That is a significant change from Chinese cyber activity from seven to 10 years ago that was focused primarily on political and economic espionage.” — The Washington Post

A new posture for the future

Although the DOJ is confident that the recently discovered intrusions have been successfully resolved, the clear communication from CISA and others is that this represents a new normal for the cybersecurity landscape—and an ongoing concern for US cyber-defense agencies, whose posture will have to be adjusted accordingly. 

Because Volt Typhoon—and, presumably, future campaigns—employ a variety of living-off-the-land (LotL) techniques to minimize traditional indicators of compromise (IoC), CISA’s recently issued guidance on ways to detect such techniques is increasingly being promoted for both governmental and private critical-infrastructure organizations.

CISA’s recent report also includes a list of actions that everyone can take immediately to mitigate the risk of Volt Typhoon activity: 

1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon. This includes routers, VPNs, and firewalls with either known or zero-day vulnerabilities.

2. Implement phishing-resistant MFA. The use of multi-factor authentication for all critical systems, or better yet, implementation of a zero-trust architecture, can dramatically reduce the risk of intrusions that use stolen credentials. 

3. Ensure logging is turned on for application, access, and security logs and store logs in a central system. At the first indication of an intrusion, having a centralized repository of event logs is critical for determining the scope and details of the problem. 

4. Plan “end of life” for technology beyond manufacturer’s supported lifecycle. Edge devices and hardware often maintain operational functionality in US-based systems after they have reached end-of-life and are no longer supported with patches to seal newly discovered vulnerabilities. Volt Typhoon (and many other threat actors) routinely scan potential victims’ systems for such devices.

Cautious optimism

Although this alteration in the strategic cybersecurity environment is clearly worthy of serious concern, US government cybersecurity leaders at the recent RSA conference and in interviews with The Record offered some reasons to be optimistic that we are turning a corner in terms of adopting a new, more effective security posture in response to the new threats: 

"I would offer that the adversary's not 10-foot-tall, and collectively we are not in the corner in the fetal position with an abacus,” Marine Corps Maj. Gen. Loran Mahlock, head of U.S. Cyber Command’s Cyber National Mission Force, said during a panel discussion this week.

“We've got our industry partners who are thinking deliberately and really creatively about the threats that are out there. And I think that really is our asymmetric advantage and our superpower."

CISA’s [Eric Goldstein, executive assistant director for cybersecurity] said that, as much as officials have rung the alarm about Volt Typhoon, the government also intends to trumpet its successes against the China-linked group. “I do think that we will speak publicly about the progress that we are seeing in hardening and making more resilient critical infrastructure as we see it,” he said. — The Record, May 9, 2024