Chinese Hacking Group Targets US Critical Infrastructure

Earlier this month, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning that the hacking group known as “Volt Typhoon” has been lurking in US critical infrastructure systems for at least five years. 

Who’s behind Volt Typhoon? 

The warning stated that Volt Typhoon, a state-sponsored threat actor group believed to act on behalf of the People’s Republic of  China, has been positioning itself to sabotage US critical infrastructure in the event of any military conflict over Taiwan. Additionally, the hackers may be prowling inside the networks of Canada, New Zealand, and Australia. The group has apparently been most interested in a few specific areas of US critical infrastructure, including: energy, communications, transportation, and water/wastewater. 

After last year’s widely publicized attack on the municipal water system in Aliquippa, Pennsylvania, Congress, CISA, and industry leaders have increased their focus on the unique risks facing water systems across the country. 

Staying on the offensive to guard critical infrastructure

During his recent testimony before the U.S. House Select Committee on the Chinese Communist Party, FBI Director Christopher Wray said, “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if and when China decides the time has come to strike.”

Director Wray also warned that Chinese hackers aren’t focused solely on political and military targets. He explained: “We can see from where they position themselves across civilian infrastructure that low blows are just a possibility in the event of a conflict; low blows against civilians are part of China’s plan.” Wray also referred to Volt Typhoon as just “the tip of the iceberg,” noting how many similar hacking efforts are originating from China. 

After Director Wray sounded the alarm, the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing titled “Securing Operational Technology: A Deep Dive into the Water Sector.” There, leaders from both the public and private sectors stressed that critical infrastructure operators in all sectors should prepare and respond to attacks in the way they would handle a natural disaster. The time is now to establish procedures to sever control systems from the internet, and practice disconnected operations.

Nation-state threats on the rise

Sabotaging municipal water supplies and other critical infrastructure assets would no doubt damage American security, threaten lives, and disrupt critical services. For these reasons, they’re an attractive target to nation-states and advanced threat actor groups. The Aliquippa attack was linked to an Iranian threat actor group, which shows that US critical infrastructure is in the crosshairs of many hostile nation-states. 

Many critical infrastructure institutions are vulnerable to cyber incidents for a number of reasons, including: increasingly sophisticated threat actors; outdated technology and legacy systems; inadequate security measures; insider threats; insufficient training and awareness; resource limitations; and more. In fact, nation-state attacks on critical infrastructure doubled (from 20% to 40%) between July 2021 and June 2022. 

Creating a more secure supply chain

So far, the group hasn’t taken specific actions against any critical infrastructure assets; opting instead to conduct years-long reconnaissance in order to map out network architectures and organizational protocols. The group actively scans for network devices with known vulnerabilities, then uses its foothold in the network to obtain administrator credentials. From there, the group can gain access to more of the system, often remaining silent for years. 

SecurityScorecard’s report with the Cyentia Institute found that 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. As a result, organizations can no longer use static security assessments of their supply chain, and must continuously monitor cybersecurity risk across their vendor ecosystem. For organizations in the critical infrastructure sector to gain trust and improve resilience, they need a simple and straightforward way to measure risk and quantify the trustworthiness of any organization in the world. Security ratings are a recognized, trusted source of objective, data-driven metrics for cybersecurity performance. They also provide a common language with which to assess and mitigate risk. 

With this common language and level of insight, organizations can identify cyber risks posed by all suppliers (including third- and fourth-party vendors) and make informed decisions to help their partners strengthen their own cyber defenses.