According to a new warning from the United States federal agencies, hackers working at the behest of China may have been infiltrating U.S. critical infrastructure for years. The claim, published in a cybersecurity warning earlier this month, employed information from six U.S. agencies, as well as allied cybersecurity and intelligence agencies from Australia, Canada, New Zealand and the U.K.
The data from the “Five-Eyes” alliance didn’t directly name any specific victims, but said the “PRC state-sponsored” hackers may have targeted key infrastructure, “primarily in Communications, Energy, Transportation Systems, and Waste and Wastewater Systems Sectors — in the continental and non-continental United States and its territories.”
Cybersecurity experts are warning that this should be seen as a serious threat to the United States, and that networks are hardened to stop a potential attack.
“This is a legitimate threat, and while the number of compromised organizations is unknown, it is likely that multiple organizations around the globe that make up critical national infrastructure have bad actors in their infrastructure,” Matt Hull, global head for Strategic Threat Intelligence at global cybersecurity software excrow firm NCC Group, told ClearanceJobs.
“The dark secret here in the cyber world is this has been known for many years,” warned Steve Hahn, executive vice president at cybersecurity provider BullWall.
“The Chinese have infiltrated nearly every aspect of our critical defense infrastructure. One of their MOs is ‘owning’ a high-level developers account,” Hahn explained. “All they need is a foothold and a variety of tools, developed by the defenders, like Cobalt Strike, to get the right set of credentials. Once they have those, they can steal the source code to know precisely how it works.”
Worse yet, hackers can employ so-called kill switches into the software secretly and recompile it to the development server.
“This allows them to remotely shut these systems down in the event of an attack to eliminate our ability to respond. In my 20 years of cybersecurity I have not seen a single sector that hasn’t seen this exact type of infiltration,” Hahn told ClearanceJobs.
As with any cyber threat, a layered approach to cybersecurity should be employed to address it.
“Fundamental cyber security measures need to be adopted, including good password management, use of MFA, access controls, use of firewalls, robust patch management processes, network monitoring, and security awareness programs,” Hull suggested.
The How And Why?
It is unclear exactly how the Chinese threat actors may have gained access to the critical infrastructure, but initial access could have been gained by any number of paths.
“There is previous evidence of sophisticated threat groups exploiting vulnerable infrastructure or use of zero-day vulnerabilities, social engineering targeting employees of the target organization, compromising the supply chain, or even using ‘malicious insiders’, who are either coerced or sympathetic to the cause of the attacker,” Hull.
As to the whys, that could be due to heightened tensions surrounding semiconductors and AI trade sanctions and the situation regarding Taiwan.
“The Chinese government has been increasingly targeting critical U.S. infrastructure, including energy, transportation, water and wastewater systems, with the potential to cause ‘real-world harm’ to Americans and this must be taken seriously,” suggested Ted Miracco, CEO of mobile cybersecurity provider Approov.
“Most attacks, even those involving state sponsored groups begin with some kind of phishing attack that leads to leveraging stolen account credentials and employing targeted log deletion to conceal their actions,” Miracco told ClearanceJobs.
The Appropriate Response
It is increasingly clear that foreign intelligence services and nation state threat actors possess the technical capability to compromise nearly any business or organization. Cybersecurity experts agree that the motivations are multifaceted – ranging from espionage and data theft for intelligence purposes to gaining an advantage in the global economy or technological race.
“This situation warrants a strong and coordinated response, including diplomatic measures, increased cyber defense capabilities, and potentially offensive cyber operations to deter further attacks,” said Mark Campbell, senior director at cybersecurity software provider Cigent.
He told Clearances like China, the U.S. also has the capability to conduct similar operations – while Beijing has previously accused the U.S. of similar activity as well.
“It’s plausible that the U.S. has similar capabilities and may have accessed Chinese networks as part of its cybersecurity and intelligence strategies, reflecting the ongoing tensions between the two nations,” added Campbell.
Though the U.S. government has not publicly disclosed specific instances of gaining access to Chinese networks in retaliation – and likely never will – it would be a common practice for nation-states to engage in cyber espionage and reconnaissance against each other.
“Such activities can often include efforts to infiltrate each other’s networks for intelligence gathering, monitoring, or positioning for potential future conflicts,” continued Miracco. “It is important to note that such activities are highly classified and typically not disclosed to the public due to their sensitive nature. It would be naive to think the U.S. is exclusively looking at cyber defense, as that would be dangerous to public safety. ”
Whether such a “secret” cybersecurity war is actually ongoing, the disclosure only serves to highlight the ongoing threat.
“One could view this on par with the Cuban Missile crisis,” explained Hahn. “Although that was not a direct attack, putting us in position we are defenseless against one is about as close to that line as you can get. In the Cuban Missile crisis did everything short of a declaration of war. Sanctions, isolations, blockades. Do we rise to that level is a question for policy makers but make no mistake, they have very deep penetration into our defense infrastructure and are looking for ways to shut it off or circumvent it in the case of a full-blown war. This will only escalate as the issue with Taiwan becomes more contentious.”