Asia Pacific

In the evolving cyberwar, China aims to take down our critical infrastructure

FBI Director Christopher Wray testifies before the House of Representatives on January 31, 2024, about China’s cyber threat to the United  States. Today’s columnist, Ken Dunham of Qualys, explains how recent news about Volt Typhoon represents a change in strategy by China. (Photo by Kevin Dietsch/Getty Images)

In the shadowy realm of cyber warfare, a formidable force has emerged out of China: an advanced persistent threat (APT) group known as Volt Typhoon. The group's recent activities represent a concerning strategic shift from conventional espionage to preparing for disruption in the event of significant conflict or crisis.

When examining the nature of their attacks on U.S. soil and territories, the targeted verticals reveal a deliberate undermining of critical lifelines and infrastructure: communications, manufacturing, utilities, and transportation just for starters. So advanced are Volt Typhoon's techniques, tactics, and procedures (TTPs) that they have repeatedly breached defenses with startling ingenuity over the past five years.

The narrative becomes more chilling when we investigate past events. The 2003 Northeast blackout, previously explained by authorities as a cascade of “technical failures,” may harbor a more sinister subplot: a Chinese-deployed cyber worm, known as “Welchia,” potentially exacerbated or synchronized with the grid's turmoil. My team's discovery of this network threat in the early 2000s paints a portrait of a long-engaged Chinese cyber adversary capable of potent systemic disruption to critical U.S. infrastructure. 

This complex set of cyber intrusions also echoes the strategies employed during the 2008 Russia-Georgia conflict, where cyber-reconnaissance and attacks preceded boots on the ground, decimating Georgia’s critical infrastructure with Denial-of-Service (DoS) attacks as part of Russia’s military tactics. This significant moment in cyber warfare illustrated the devastation cyber adversaries can inflict on a nation’s critical infrastructure in tandem with conventional warfare tactics. 

How cyber risk management can help against Volt Typhoon

APT groups like Volt Typhoon are increasingly using living-off-the-land (LOTL) attacks. In response, the Cybersecurity and Infrastructure Security Agency (CISA) has recently outlined best practice recommendations for agencies and organizations to detect and address LOTL attacks. 

CISA advises implementing detailed logging and ensuring logs are stored in a centralized location with write-once, read-many capabilities to prevent attackers from modifying or erasing them. Additionally, establishing baselines of network, user, administrative and application activity, along with least privilege restrictions, is crucial for maintaining a robust defense against LOTL techniques. 

To mitigate these risks and strengthen their defenses, government agencies and organizations must also prioritize risk management frameworks. Regular audits, penetration testing, and adherence to risk management best practices are essential to ensuring the reasonable hardening of networks and systems. Moreover, the move towards a zero-trust architecture has become imperative, as it represents an important strategic shift in how access to IT resources gets granted and monitored just-in-time (JIT) when required by authorized individuals.

Security extends beyond design and setup: it includes ongoing maintenance and swift response to threats. Our recent 2023 Qualys TruRisk Research Report found that vulnerabilities take on average over 30 days to patch, with attackers often weaponizing them within a shorter time frame (19.5 days). This delay creates opportunities for nation-state actors such as China to cause damage and disruption. Therefore, it's crucial for government and private sector security teams to proactively manage patches using risk prioritization, focusing on the most critical assets with the greatest attack risk first, to de-risk agencies and organizations effectively.

Operational security can protect critical infrastructure

Embracing comprehensive security frameworks like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) program can offer systematic guidance for defense enhancement.

NIST’s Special Publication 800-53 offers a comprehensive set of 160 security controls that delve into implementing risk management techniques. This publication is particularly beneficial for federal agencies and organizations that require compliance with the Federal Information Security Management Act (FISMA). 

However, when it comes to third-party contractors working with the Defense Department, the CMMC sets the standard. Built upon the foundation of NIST guidelines, CMMC incorporates processes that ensure operational security is not just a policy but a practice. 

These processes are essential in critical U.S. infrastructure and operational technology fields, where the CMMC's guidelines cover tactical, strategic, and operational needs, thereby enhancing the protection of sensitive, unclassified information shared with contractors and subcontractors.

We can’t understate the urgency for improved security measures; risk management must become a foundational element of strategic cybersecurity planning for government agencies and the private sector. Taking decisive steps towards bolstering our nation's defenses and embracing a proactive security culture within government and other organizations ensure that we can protect our critical infrastructure. Let’s start by first acknowledging the severity of the threat – and doing something about it.

Ken Dunham, director, cyber threats, Qualys Threat Research Unit

Ken Dunham

Ken Dunham has over 30 years of global cyber leadership, including executive leadership in a leading Americas security company, and key involvement in two top-rated startups. He was one of the pioneers of the responsible disclosure process used by Microsoft and others for vulnerability management today, as well as modern day cyber threat intelligence (CTI), and responsible for extensive incident response and counterintelligence within F100 and other organizations around the world. Mr. Dunham also innovated groundbreaking training programs integrating new forms of technology and training for the USAF for the U2 spy plane, warthog, and creation of the Predator drone program. Mr. Dunham is the author of eight books, a top-rated website, and the top downloaded antivirus program. His eighth book will be published in Q4 2024 for Cyber CISO leaders. He is a recognized global leader within ISSA as an International Distinguished Fellow, authoring multiple books and the ISSA international article of the year, “Troubling Trends of Espionage,” 2015.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds