At the Billington Cybersecurity State and Local Summit on Tuesday, U.S. government officials warned that the critical infrastructure security threat posed by Chinese state-sponsored actors could potentially have a very real and significant impact on state and local governments.
The federal government has been sounding off in a series of security advisories and hearings on Chinese threat actors' successful attempts to gain persistent, quiet access to critical infrastructure sectors across the country, particularly after the Department of Justice in January first exposed a widespread campaign carried out by Volt Typhoon.
Volt Typhoon has been burrowing in the networks of these various critical infrastructure entities in order to pre-position themselves for future potential attacks, said the government. Moreover, despite law enforcement announcing a limited disruption operation of Volt Typhoon earlier this year, the full extent of the threat actor's campaign is unknown, and government agencies are still unearthing victims.
While the U.S. has been focused on China as a top threat in the cybersecurity landscape over the past decade, what’s different now is that “the PRC’s inside the house,” said Andrew Scott, associate director for China operations with the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“We know they’re on these networks… CISA has confirmed PRC cyber actors have been on our networks for, in some cases, the past five years,” said Scott on Tuesday at the summit. “If the order was given they could disrupt some services in this country right now."
“The PRC’s inside the house.”
Part of the challenge for security teams is that these threat actors are persistent: They’re not noisy and they use living-off-the-land techniques that makes it difficult for network defenders to detect them once they’re in. In many cases, threat actors lay dormant in the compromised networks outside of periodically checking in to make sure that their access is still intact.
“In our engagements specific to this particular threat vector, what we’re seeing is although there’s differences on the margins in every single victim, there’s commonality in the way the targeting and the way the compromises are happening,” said Scott. “It’s a very challenging environment for a network defender to deal with.”
Scott recommended that state and local government entities audit system administrator accounts in their environments and implement identity management strategies. One important mitigation strategy for living-off-the-land techniques is to make sure logging is turned on for applications and systems and that they’re stored in a central system, according to CISA.
“It requires looking at your logs, looking for out-of-band activity, because what these actors are doing are simply imitating authenticated users on the network, and using the native tools that are available to system administrators to move around on the network, and maintain that access,” said Scott.
Although ransomware has been the bigger security concern for the state and local government leaders gathered at the Tuesday summit over the past years, U.S. officials said the potential disruptions brought on by Chinese actors are a very relevant threat to these regional government entities.
“The worst case outcome that we’re concerned about is not a one-off event.”
These types of critical infrastructure attacks have the potential for a much more widespread impact and, in a worst case scenario, could cause societal panic, said officials. Moreover, the federal government has carved out a role for state and local governments in aiding critical infrastructure sectors hit by these types of attacks. On Tuesday, for instance, the White House requested that U.S. governors partner with the Environmental Protection Agency (EPA) to help safeguard the water sector from threats posed by Volt Typhoon.
“The worst case outcome that we’re concerned about is not a one-off event,” said Scott. “It is not a single hospital. It is multiple sectors simultaneously being disrupted with services being out. Imagine the impact of having multiple water utilities out, multiple communication entities out, multiple energy providers out, in your region or state.”
In a security notice for critical infrastructure owners and operators on Tuesday, CISA and its partners - including agency partners and security partners from Australia, Canada, the UK and New Zealand - urged leaders to recognize Volt Typhoon's operations as a “core business risk” and listed a number of additional detection and hardening measures they could take. These measures also include developing security plans, conducting tabletop exercises that include personnel from different business sections and taking steps to secure the supply chain.
For decades China focused its cyber offensive efforts on IP theft and traditional espionage, but the Volt Typhoon attacks are reflective of how that has been changing, said Dave Frederick, the assistant deputy director for China with the National Security Agency (NSA), during the Tuesday summit. Political strategic goals and aims in part are driving that shift, and researchers for years have highlighted how Chinese threat actors have become more focused and sophisticated, and have retooled their efforts to support China's long-term policies and investment programs centered on infrastructure, economic development and national self-reliance.
“It really reflects their broader strategy," Frederick said. "We have seen a significant shift in China in the last five years… where they are taking a much more aggressive posture on asserting themselves globally, trying to reshape the global order and certainly trying to create the conditions where they can force unification with Taiwan if a peaceful unification isn’t possible."