Tag Archive for: Infrastructure

Chinese Hackers Target American Infrastructure, Raising Concerns of Cyber Warfare

/in


According to U.S. officials and security experts, hackers affiliated with China’s People’s Liberation Army have been infiltrating the computer systems of critical American entities in an effort to disrupt key infrastructure. Over the past year, about two dozen entities have fallen victim to these cyber intrusions, including a water utility in Hawaii, a major West Coast port, and at least one oil and gas pipeline. Their targets also included the operator of Texas’s power grid. It appears that the Chinese military aims to sow chaos and panic or obstruct logistics in the event of a conflict between the U.S. and China in the Pacific.

While the intrusions did not cause any disruptions or impact industrial control systems, it is evident that China wants to complicate U.S. efforts to deploy troops and equipment to the Pacific region. The Chinese military intends to gain the ability to disrupt critical infrastructure and affect decision-making during a crisis. This marks a significant shift from their previous cyber activities focused on political and economic espionage.

The cyber campaign, known as Volt Typhoon, was first detected the U.S. government about a year ago. It targets entities within the Indo-Pacific region, particularly Hawaii. The hackers often disguise their tracks utilizing innocuous devices like home or office routers. Their primary objective is to steal employee credentials that can be used to maintain persistent access.

The revelations concerning China’s cyber warfare capabilities confirm the fears expressed in the annual threat assessment the Office of the Director of National Intelligence. The assessment warned that China is capable of launching cyberattacks that could disrupt critical U.S. infrastructure. In the face of a possible conflict, China would not hesitate to conduct aggressive cyber operations against U.S. assets worldwide.

The victims of Volt Typhoon include smaller companies and organizations across various sectors. It is believed that these entities were opportunistically targeted in the hopes of gaining access to larger, more critical customers through their supply chains.

Chinese military officers have outlined the use of cyber tools and network…

Source…

Router botnet tied to Volt Typhoon’s critical infrastructure breaches

/in


Chinese threat group Volt Typhoon used a sophisticated botnet of unsecured home and small business routers to stealthily transfer data during a major campaign targeting U.S. critical infrastructure discovered earlier this year.

The group’s actions raised alarm in the intelligence community when they were first reported in May because of the breadth and potential impact of its attacks. Organizations across a range of sectors, including government, defense, communications, IT and utilities were targeted.

One victim was a critical infrastructure organization in the U.S. territory of Guam. There were fears the breach could be a precursor to an attack aimed at disrupting U.S. military capabilities in the nearby South China Sea.

KV-botnet comprised of end-of-life routers

In a Dec. 13 post, Lumen Technologies said following the discovery of the attacks, its Black Lotus Labs division discovered Volt Typhoon — and possibly other advanced persistent threat (APT) actors — had used a botnet as a data transfer network as part of its operations.

Dubbed KV-botnet, it was a network of mainly end-of-life infected small office/home office (SOHO) routers made by Cisco, DrayTek and Netgear.

“The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework,” the researchers said. “The operators of this botnet meticulously implement tradecraft and obfuscation techniques.”

There were several advantages of building a botnet from older SOHO routers, they said, including the large number available, the lack of security measures and patching they were subjected to, and the significant data bandwidth they could handle without raising suspicion.

“Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics.”

In a separate statement, Lumen said KV-botnet had enabled Volt Typhoon to maintain secret communication channels that merged with normal network traffic, avoiding security barriers and firewalls.

“This botnet was essential for their strategic intelligence collection operations,…

Source…

Another Cyberattack on Critical Infrastructure and the Outlook on Cyberwarfare

/in


CyberAv3ngers, an Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated group, claimed credit for a Nov. 25 cyberattack on the Municipal Water Authority of Aliquippa in Pennsylvania. The threat group hacked a system with Israeli-owned parts at one of the water authority’s booster stations. The booster station was able to shut down the impacted system, which monitors water pressure, and switch to manual operations.

This cyberattack is one example among many of how critical infrastructure entities are being targeted by nation state and hacktivist threat actors. What was the impact of this CyberAv3ngers hack, and how will threat actors continue to pursue cyberwarfare?

The CyberAv3ngers Attack

CyberAv3ngers hacked a system known as Unitronics. During the attack, the following message appeared on the screen at the booster station:  “You Have Been Hacked. Down With Israel, Every Equipment ‘Made In Israel’ Is CyberAv3ngers Legal Target.”

The Cybersecurity and Infrastructure and Security Agency (CISA) released a cybersecurity advisory on IRGC-affiliated actors’ exploitation of programmable logic controllers (PLCs) in multiple sectors. Unitronics PLCs are commonly used in water and wastewater systems, according to the advisory. PLCs operate with a human machine interface (HMI). “A human can walk over and touch a keypad and tell it what to do. Empty this tank or fill this tank or pump this water to this location. And those things can be controlled remotely,” Adam Meyers, senior vice president of counter adversary operations at cybersecurity technology company CrowdStrike, explains.

Related:Massive Okta Breach: What CISOs Should Know

Meyers expects that the threat actors were likely scanning for a particular type of hardware. They were likely able to compromise the PLCs at the water authority booster station because they were exposed to the internet and using a default password, according to the CISA advisory. The station was able to switch to a manual system, and the water supply was not impacted.

CrowdStrike has been tracking CyberAv3ngers since July 2020. The group has claimed a number of breaches of critical infrastructure organizations. Some claims are unverified and…

Source…

What you need to know about Australia’s critical infrastructure reforms

/in


As the cyber threat landscape continues to evolve, the key message of the 2023-2030 Australian Cyber Security Strategy (Strategy) is clear: business cyber resilience is an urgent national priority.

The Strategy seeks to strike a balance been fostering close collaboration between government and industry but, at the same time, cracking down on businesses that are not cyber-ready. While certain legislative reforms have been proposed, including to the Security of Critical Infrastructure Act 2018 (SOCI Act), no economy-wide cyber laws have been proposed at this stage. Further industry consultation will be conducted prior to the introduction of substantive reforms.

Overview and implementation

On 22 November 2023, the Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP, released the Strategy. The Government has an ambitious goal of making Australia ‘the most cyber secure nation by 2030’ by putting almost $600 million towards implementing six ‘Cyber Shields’:

  1. Strong businesses and citizens.
  2. Safe technology.
  3. World-class threat sharing and blocking.
  4. Protected critical infrastructure.
  5. Sovereign capabilities.
  6. Resilient region and global leadership.

The Strategy directly responds to Government concerns following significant data breaches that have occurred over the past 18 months, including gaps in regulations as well as a lack of industry reporting and consultation. Initial indications are that the Strategy is being well received by business and the broader cyber security community as a comprehensive response to the evolving threat landscape. The different layers of the Strategy deal with everything from protecting critical infrastructure and growing Australia’s skilled cyber security workforce to working with international partners and introducing new regulatory reforms with a focus on close collaboration between government and industry.

The Strategy will be implemented across three stages or ‘horizons’:

  • Horizon 1: The strengthening of foundations from 2023-2025.
  • Horizon 2: Scaling of cyber maturity across the whole economy from 2026-2028.
  • Horizon 3: Becoming a world leader in cyber security by 2030.

Core law reforms on new cyber obligations, streamlined…

Source…