The United States National Security Agency is often tight-lipped about its work and intelligence. But at the Cyberwarcon security conference in Washington DC on Thursday, two members of the agency’s Cybersecurity Collaboration Center had a “call to action” for the cybersecurity community: Beware the threat of Chinese government-backed hackers embedding in US critical infrastructure.
Alongside its “Five Eyes” intelligence alliance counterparts, the NSA has been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting critical infrastructure networks, including power grids, as part of its activity.
Officials emphasized on Thursday that network administrators and security teams need to be on the lookout for suspicious activity in which hackers manipulate and misuse legitimate tools rather than malware—an approach known as “living off the land”—to carry out clandestine operations. They added that the Chinese government also develops novel intrusion techniques and malware, thanks to a substantial stockpile of zero-day vulnerabilities that hackers can weaponize and exploit. Beijing collects these bugs through its own research, as well as a law that requires vulnerability disclosure.
The People’s Republic of China “works to gain unauthorized access to systems and wait for the best time to exploit these networks,” Morgan Adamski, director of the NSA’s Cybersecurity Collaboration Center, said on Thursday. “The threat is extremely sophisticated and pervasive. It is not easy to find. It is pre-positioning with intent to quietly burrow into critical networks for the long haul. The fact that these actors are in critical infrastructure is unacceptable, and it is something that we are taking very seriously—something that we are concerned about.”
Microsoft’s Mark Parsons and Judy Ng gave an update on Volt Typhoon’s activity later in the day at Cyberwarcon. They noted that after seemingly becoming dormant in the spring and most of the summer, the group reappeared in August with improved operational security to make its activity more difficult to track. Volt Typhoon has continued attacking universities and US Army Reserve Officers’ Training Corps programs—a type of victim the group particularly favors—but it has also been observed targeting additional US utility companies.
“We think Volt Typhoon is doing this for espionage-related activity, but in addition, we think there’s an element that they could use it for destruction or disruption in a time of need,” Microsoft’s Ng said on Thursday.
The NSA’s Adamski and Josh Zaritsky, chief operations officer of the Cybersecurity Collaboration Center, urged network defenders to manage and audit their system logs for anomalous activity and store logs such that they can’t be deleted by an attacker who gains system access and is looking to hide their tracks.
The two also emphasized best practices, like two-factor authentication and limiting users’ and admins’ system privileges to minimize the possibility that attackers can compromise and exploit accounts in the first place. And they emphasized that not only is it necessary to patch software vulnerabilities, it is crucial to then go back and check logs and records to make sure that there aren’t signs that the bug was exploited before it was patched.
“We are going to need internet service providers, cloud providers, endpoint companies, cybersecurity companies, device manufacturers, everybody in this fight together. And this is a fight for our US critical infrastructure,” Adamski said. “The products, the services that we rely on, everything that matters—that’s why this is important.”