The NSA is often tight-lipped about its work and intelligence. But at the Cyber Warfare Security Conference in Washington, D.C., on Thursday, two members of the agency’s Cybersecurity Collaboration Center issued a “call to action” to the cybersecurity community: Chinese government-backed hackers embedded in U.S. critical infrastructure threats.
The National Security Agency, together with its allies in the Five Eyes intelligence alliance, Warning issued since May A Beijing-funded group called Volt Typhoon has been targeting critical infrastructure networks, including power grids, as part of its activities.
Officials stressed Thursday that network administrators and security teams need to be alert to suspicious activity in which hackers manipulate and abuse legitimate tools rather than malware – a method known as “living off the land” Covert operations. They add that the Chinese government has also developed novel intrusion techniques and malware, thanks to a host of zero-day vulnerabilities that hackers can weaponize and exploit.Beijing collects these vulnerabilities through its own research and Laws requiring disclosure of vulnerabilities.
Morgan Adamsky, director of the National Security Agency’s Cybersecurity Collaboration Center, said Thursday that the People’s Republic of China “is committed to gaining unauthorized access to systems and waiting for the best opportunity to exploit these networks.” “This is a threat. Extremely complex and pervasive. Not easy to detect. This is pre-targeted with the intent to quietly infiltrate critical networks over time. The fact that these actors are located within critical infrastructure is unacceptable and is something we are taking very seriously – we are care. “
Microsoft’s Mark Parsons and Judy Ng provided an update on the Volt Typhoon event at Cyberwarcon later in the day. They noted that the group appeared to be dormant for much of the spring and summer, but resurfaced in August and increased operational security, making its activities more active. Typhoon Volt continues to hit universities and U.S. Army Reserve Officers Training Corps programs (a particular type of victim favored by the group), but it has been observed targeting other U.S. utility companies as well.
“We believe Volt Typhoon did this for espionage purposes, but beyond that we think they could use it to do damage or sabotage if they needed to,” Microsoft’s Ng said Thursday.
Adamski and Josh Zaritsky, chief operating officers of the NSA’s Cybersecurity Collaboration Center, urge cyber defenders to manage and audit their system logs for unusual activity and to store logs so they cannot be deleted by an attacker who has gained access to the system and is looking for them. these logs. to hide their tracks.
The two also highlighted best practices such as two-factor authentication and limiting system permissions for users and administrators to minimize the possibility of attackers compromising and exploiting accounts. They also stressed the importance of not only patching software vulnerabilities, but then going back and checking logs and records to ensure there are no signs that the bug has been exploited before patching.
“We need network service providers, cloud providers, endpoint companies, cybersecurity companies, equipment manufacturers, everyone to join in this fight. This is a fight against our critical infrastructure in the United States,” Adamski said. “We depend on everything that matters – that’s why this is important. “