Tag Archive for: Infrastructure

US disables hacking network targeting critical infrastructure

/in


The US launched an operation to fight a pervasive Chinese hacking operation that successfully compromised thousands of internet-connected devices, according to two Western security officials and one person familiar with the matter.

The Justice Department (DoJ) and Federal Bureau of Investigation (FBI) sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters.

The Biden administration has increasingly focused on hacking, not only for fear that nation states may try to disrupt the US election in November, but because ransomware wreaked havoc on Corporate America in 2023.

The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities.

While the Volt Typhoon campaign initially came to light in May 2023, the hackers expanded the scope of their operations late last year and changed some of their techniques, according to three people familiar with the matter.

The widespread nature of the hacks led to a series of meetings between the White House and private technology industry, including several telecommunications and cloud computing companies, where the US government asked for assistance in tracking the activity.

Such breaches could enable China, national security experts said, to remotely disrupt important facilities in the Indo-Pacific region that in some form support or service US military operations. Sources said US officials are concerned the hackers were working to hurt US readiness in case of a Chinese invasion of Taiwan.

China, which claims democratically governed Taiwan as its own territory, has increased its military activities near the island in recent years in response to what Beijing calls “collusion” between Taiwan and the United States.

The Justice Department and FBI declined to comment. The Chinese embassy in Washington did not immediately respond to a request for comment.

When Western nations first warned about Volt Typhoon in May, Chinese foreign ministry spokesperson Mao Ning said the hacking…

Source…

Chinese Hackers Target American Infrastructure, Raising Concerns of Cyber Warfare

/in


According to U.S. officials and security experts, hackers affiliated with China’s People’s Liberation Army have been infiltrating the computer systems of critical American entities in an effort to disrupt key infrastructure. Over the past year, about two dozen entities have fallen victim to these cyber intrusions, including a water utility in Hawaii, a major West Coast port, and at least one oil and gas pipeline. Their targets also included the operator of Texas’s power grid. It appears that the Chinese military aims to sow chaos and panic or obstruct logistics in the event of a conflict between the U.S. and China in the Pacific.

While the intrusions did not cause any disruptions or impact industrial control systems, it is evident that China wants to complicate U.S. efforts to deploy troops and equipment to the Pacific region. The Chinese military intends to gain the ability to disrupt critical infrastructure and affect decision-making during a crisis. This marks a significant shift from their previous cyber activities focused on political and economic espionage.

The cyber campaign, known as Volt Typhoon, was first detected the U.S. government about a year ago. It targets entities within the Indo-Pacific region, particularly Hawaii. The hackers often disguise their tracks utilizing innocuous devices like home or office routers. Their primary objective is to steal employee credentials that can be used to maintain persistent access.

The revelations concerning China’s cyber warfare capabilities confirm the fears expressed in the annual threat assessment the Office of the Director of National Intelligence. The assessment warned that China is capable of launching cyberattacks that could disrupt critical U.S. infrastructure. In the face of a possible conflict, China would not hesitate to conduct aggressive cyber operations against U.S. assets worldwide.

The victims of Volt Typhoon include smaller companies and organizations across various sectors. It is believed that these entities were opportunistically targeted in the hopes of gaining access to larger, more critical customers through their supply chains.

Chinese military officers have outlined the use of cyber tools and network…

Source…

Router botnet tied to Volt Typhoon’s critical infrastructure breaches

/in


Chinese threat group Volt Typhoon used a sophisticated botnet of unsecured home and small business routers to stealthily transfer data during a major campaign targeting U.S. critical infrastructure discovered earlier this year.

The group’s actions raised alarm in the intelligence community when they were first reported in May because of the breadth and potential impact of its attacks. Organizations across a range of sectors, including government, defense, communications, IT and utilities were targeted.

One victim was a critical infrastructure organization in the U.S. territory of Guam. There were fears the breach could be a precursor to an attack aimed at disrupting U.S. military capabilities in the nearby South China Sea.

KV-botnet comprised of end-of-life routers

In a Dec. 13 post, Lumen Technologies said following the discovery of the attacks, its Black Lotus Labs division discovered Volt Typhoon — and possibly other advanced persistent threat (APT) actors — had used a botnet as a data transfer network as part of its operations.

Dubbed KV-botnet, it was a network of mainly end-of-life infected small office/home office (SOHO) routers made by Cisco, DrayTek and Netgear.

“The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework,” the researchers said. “The operators of this botnet meticulously implement tradecraft and obfuscation techniques.”

There were several advantages of building a botnet from older SOHO routers, they said, including the large number available, the lack of security measures and patching they were subjected to, and the significant data bandwidth they could handle without raising suspicion.

“Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics.”

In a separate statement, Lumen said KV-botnet had enabled Volt Typhoon to maintain secret communication channels that merged with normal network traffic, avoiding security barriers and firewalls.

“This botnet was essential for their strategic intelligence collection operations,…

Source…

Another Cyberattack on Critical Infrastructure and the Outlook on Cyberwarfare

/in


CyberAv3ngers, an Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated group, claimed credit for a Nov. 25 cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania. The threat group hacked a system with Israeli-owned parts at one of the water authority’s booster stations. The booster station was able to shut down the impacted system, which monitors water pressure, and switch to manual operations.

This cyberattack is one example among many of how critical infrastructure entities are being targeted by nation state and hacktivist threat actors. What was the impact of this CyberAv3ngers hack, and how will threat actors continue to pursue cyberwarfare?

The CyberAv3ngers Attack

CyberAv3ngers hacked a system known as Unitronics. During the attack, the following message appeared on the screen at the booster station:  “You Have Been Hacked. Down With Israel, Every Equipment ‘Made In Israel’ Is CyberAv3ngers Legal Target.”

The Cybersecurity and Infrastructure and Security Agency (CISA) released a cybersecurity advisory on IRGC-affiliated actors’ exploitation of programmable logic controllers (PLCs) in multiple sectors. Unitronics PLCs are commonly used in water and wastewater systems, according to the advisory. PLCs operate with a human machine interface (HMI). “A human can walk over and touch a keypad and tell it what to do. Empty this tank or fill this tank or pump this water to this location. And those things can be controlled remotely,” Adam Meyers, senior vice president of counter adversary operations at cybersecurity technology company CrowdStrike, explains.

Related:Massive Okta Breach: What CISOs Should Know

Meyers expects that the threat actors were likely scanning for a particular type of hardware. They were likely able to compromise the PLCs at the water authority booster station because they were exposed to the internet and using a default password, according to the CISA advisory. The station was able to switch to a manual system, and the water supply was not impacted.

CrowdStrike has been tracking CyberAv3ngers since July 2020. The group has claimed a number of breaches of critical infrastructure organizations. Some claims are unverified and…

Source…