FBI Director Wray Warns, Chinese Hackers Are Determined to ‘Wreak Havoc’ on U.S. Critical Infrastructure
By Alliant Specialty
FBI Director Christopher Wray announced the dismantling of the China-backed hacking group known as "Volt Typhoon" during a House committee hearing on January 31, 2024. The hacking group had orchestrated numerous cyber intrusions by exploiting office and home office routers, utilizing them as launching pads to infiltrate Western critical infrastructure. Their targets included naval ports, internet service providers and utilities, prompting decisive action to neutralize the threat.
Increasing Sophistication
The hacking campaign attributed to Volt Typhoon was first reported in May 2023, following Microsoft's revelation of traces embedded in critical infrastructure in Guam—the closest U.S. territory to Taiwan and a site of significant U.S. military presence. The hackers employed diverse infiltration methods, utilizing multiple avenues such as cloud and internet providers, skillfully disguising themselves as normal traffic.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, underscored the escalating sophistication of the hacks during her testimony to the House select committee. She elaborated that the hackers, in a display of advanced tactics, adeptly utilized built-in network administration tools to elude endpoint detection while executing their operations—a technique commonly referred to as "living off the land." This elevated level of sophistication not only showcases their strategic prowess but also renders them exceptionally challenging to identify, highlighting the evolving and elusive nature of their cyber activities.
Vulnerable to Attack
Numerous critical infrastructure organizations rely on outdated Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, developed at a time where regular updates and patches were not standard practice. These systems frequently operate on obsolete software and hardware, lacking essential features such as network segmentation and encryption for communication protection. This vulnerability creates an environment where malicious actors can exploit weaknesses, monitoring network traffic to intercept authentication credentials and execute man-in-the-middle attacks with relative ease. The absence of modern security measures underscores the pressing need for comprehensive updates and enhanced cybersecurity protocols within these critical systems.
U.S. officials have long been concerned about such hackers hiding in U.S.-based infrastructure, and the end-of-life Cisco and NetGear routers exploited by Volt Typhoon were easy prey. The routers apprehended by the FBI predominantly belonged to antiquated systems in small offices that were no longer being maintained with security patches from the manufacturers or software providers.
Legacy infrastructure poses significant challenges for cybersecurity due to several inherent vulnerabilities and limitations. Here are some key reasons:
- Outdated Technology: Legacy systems often use outdated hardware and software that may lack modern security features and mechanisms. These systems were developed in an era when cybersecurity threats were less sophisticated, making them more susceptible to contemporary cyber attacks.
- Limited Security Support: Manufacturers and developers may discontinue support for legacy systems, ceasing the release of security updates and patches. This lack of ongoing support leaves these systems exposed to known vulnerabilities, as they are not fortified against emerging cyber threats.
- Incompatibility with Modern Security Protocols: Legacy systems might not be compatible with current security protocols and standards. This makes it difficult to implement contemporary cybersecurity measures, such as advanced encryption methods and multifactor authentication, leaving these systems more susceptible to breaches.
- Weak Authentication Mechanisms: Older systems may employ weaker authentication methods or default credentials that are easier for attackers to exploit. This can lead to unauthorized access and compromise of sensitive information.
- Lack of Network Segmentation: Many legacy systems were not designed with robust network segmentation in mind. This absence makes it easier for attackers to move laterally within a network once they gain initial access, potentially accessing critical systems and data.
- Inability to Keep Pace with Evolving Threats: Cyber threats evolve rapidly, and legacy infrastructure may lack the capability to adapt to emerging risks. This can result in a cybersecurity gap, leaving organizations more exposed to sophisticated and targeted attacks.
- Limited Monitoring and Detection Capabilities: Legacy systems often lack advanced monitoring and detection capabilities that are essential for identifying and responding to cybersecurity incidents in real time. This delay in detection can provide attackers with a larger window of opportunity to carry out malicious activities undetected.
Simply Outnumbered
The cybersecurity landscape faces a persistent challenge with the outnumbering of cybersecurity professionals by cybercriminals. Several factors contribute to this imbalance:
- Growing Attack Surface: The digital attack surface is continuously expanding with the increasing use of technology and interconnected devices. As more organizations adopt digital solutions, the demand for cybersecurity professionals surges. However, the supply of skilled cybersecurity experts struggles to keep pace.
- Shortage of Qualified Professionals: There is a global shortage of qualified cybersecurity professionals. The field requires individuals with diverse skills, including expertise in threat analysis, ethical hacking, risk management and compliance. Universities and training programs often cannot produce enough graduates with the required skill set to meet the demand.
- High Turnover Rates: The cybersecurity industry experiences high turnover rates. Cybersecurity professionals are in high demand, leading to job mobility and professionals frequently changing employers for better opportunities. This dynamic creates a continual need for new hires and exacerbates the shortage.
- Complexity of the Threat Landscape: Cyber threats are becoming increasingly sophisticated, requiring cybersecurity professionals to continually update their skills and knowledge. The fast-paced evolution of cyber threats demands ongoing education and training, which can be challenging for professionals already in the field.
- Rapid Technological Advancements: Technology evolves quickly, introducing new vulnerabilities and attack vectors. Keeping up with the latest developments requires continuous learning, and the pace of technological change can overwhelm cybersecurity professionals who must constantly adapt to emerging threats.
- Global Nature of Cybercrime: Cybercriminal activities can originate from anywhere in the world, making it challenging for law enforcement and cybersecurity professionals to collaborate effectively across jurisdictions.
- Limited Budgets: Many organizations, especially smaller ones, may have limited budgets for cybersecurity initiatives. This constraint can affect the recruitment of qualified professionals, the implementation of robust security measures and the adoption of advanced cybersecurity technologies.
Addressing the shortage of cybersecurity professionals requires concerted efforts from educational institutions, governments and private sector organizations to invest in training programs, create pathways for career development and foster a cybersecurity culture that attracts and retains talent.
FBI director Wray also urged lawmakers to support investments in U.S. cyber defense, warning that China’s hacking force far outnumbered America’s. “If you took every single one of the FBI cyber agents, intelligence analysts and focused them exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1,” he said.
What Can Be Done?
To address these challenges, organizations need to invest in the modernization of their infrastructure, implement regular security audits and establish robust cybersecurity practices to ensure the protection of critical systems and data. Vigilance and a continuous commitment to cyber risk management and security are key. There is no single “point solution” that will address these challenges.
It is the responsibility of organizations to manage the risk of exploitation of these vulnerabilities in their own environments. Compensating controls such as restricted access to networks, isolation, segmentation and monitoring can help reduce the risk.
How Can Alliant Help?
Alliant Cyber is ready to engage with your organization today, to assist you in identifying and realizing your cyber risk management objectives. Our multi-disciplinary team accomplishes this through our accelerated model of engagement, prioritization and targeted results. Reach out today to begin your journey toward optimized insurability outcomes, enabled by Alliant Cyber.
Alliant note and disclaimer: This document is designed to provide general information and guidance. Please note that prior to implementation your legal counsel should review all details or policy information. Alliant Insurance Services does not provide legal advice or legal opinions. If a legal opinion is needed, please seek the services of your own legal advisor or ask Alliant Insurance Services for a referral. This document is provided on an “as is” basis without any warranty of any kind. Alliant Insurance Services disclaims any liability for any loss or damage from reliance on this document.