Imagine a world where an adversary could place bombs across the critical infrastructure of the United States without them being detected and then blow them up at a time of their choosing to create maximum economic and societal destruction and distraction.

A dream scenario for an adversary, but a nightmare for the United States, and yet this is what Chinese state-sponsored cyber security attackers, Volt Typhoon, have almost certainly achieved.

Federal cybersecurity professionals and their industry partners have been retaking control of hundreds of internet accessible small office/home office routers across the U.S. that had been used by Volt Typhoon to conceal the People’s Republic of China origin of further reconnaissance and espionage activities directed against the U.S. It is suspected that hundreds more may remain undetected and under Volt Typhoon’s control.

On January 31, 2024 Congressional Chinese Communist Party Committee Chair Mike Gallagher stated it is “the cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants….The sole purpose is to be ready to destroy American infrastructure, which will inevitably result in mass American casualties.”

Whether Volt Typhoon attackers gained access to these critical infrastructure networks by exploiting edge network devices or through insider threat, their aim was to move across the IT network undetected to gain information on and access to critical, often operational technology, network segments and ultimately put in place their cyber “bombs” for future use.

Routers are chosen for two reasons. Firstly, because routers can connect networks to the internet, as well as connecting and controlling traffic across internal network segments, so they offer both an entry point and means of moving around the network undetected. And critically, routers are often overlooked and not checked as frequently as edge firewalls; which means they likely have the right vulnerabilities for easier exploitation.

There is a further reason why these critical infrastructure networks can be vulnerable. Developed over decades, they have grown relentlessly in scale and in complexity fueled recently by COVID driven remote working. This has meant that today’s security teams will not even necessarily know what devices are on the network they are trying to protect, or where, or in what state. It can therefore seem like an impossible task to try to manage operational security across the network, let alone keep pace with developing threats.

This in turn leads to the focus on, or hope that, protecting the perimeters – through firewalls and end point protection solutions might work. The lack of capability and tools to find, assess and keep the routers and switches secure across the network worsens this situation.

Reducing the attack surface

The fundamental first step is for organizations not to rely on protecting just the perimeter and endpoint – but to proactively and continually check all changes to routers and other devices on the network. For those already conducting these audits, the need is to move away from the risks inherent in occasional audits and auditing based on just a sample of devices. All of this should be done using the latest software vulnerability information from trusted sources such as the U.S. National Institute of Standards and Technology in its National Vulnerability Database (NVD).

These vulnerability lists, in turn, are extremely valuable, but not sufficient on their own. Complexity in modern routers means errors can be made when updating their configurations. These are the very vulnerabilities which attackers like Volt Typhoon actively seek. This is why the Department of Defense’s trusted agency, Defense Information Systems Agency (DISA), together with organizations such as Center for Internet Security (CIS) produce configuration management benchmarks for federal organizations to use to “harden” their routers, switches and firewalls, as well as endpoints.

Zero Trust

A critical third step is to understand the importance of Zero Trust network segmentation and attack surface management security for controlling the proliferation of threats – an approach which, for example, would have helped prevent the spreading ransomware impact experienced by Colonial Pipeline when attacked. Such dividing up of a network enables the rapid quarantining of an infected segment of a network if Advanced Persistent Threats (APTs) or ransomware have found a point of entry.

U.S. government experts recognize the critical role routers play in effective segmentation and that the FBI is “outgunned” by at least 50:1 in terms of personnel compared to PRC. To help right this drastic imbalance, they need accurate, enterprise-wide vulnerability and configuration management (VM/CM) visibility for routers, as well as firewalls and switches to continually minimize the attack surface available to threats from APTs and ransomware.

Another way to effectively minimize attack surface and maintain operational resilience of critical network segments, as advocated by U.S. Cybercommand’s cornerstone Cyber Operational Readiness Assessment (CORA), is to prioritize the remediation of software vulnerabilities and misconfigurations by exposure to MITRE ATT&CK Techniques, Tactics and Procedures (TTPs).

Proactive enterprise-wide VM/CM solutions that also deliver ATT&CK TTP exposure visibility and incident response forensics are therefore key to addressing the Volt Typhoon visibility gap and ensuring:

— Network and Security Operations (NOC and SOC) teams effectively “identify and dis-arm existing bombs on critical infrastructure;

— Threat hunting teams can remove existing Volt Typhoon “bombs” completely; and

— NOC and SOC teams can identify, remediate and respond in near real-time to “new or re-planted and armed bombs” – keeping U.S. critical infrastructure operational and secure.

Phil Lewis is SVP Global Enterprise Business Development at Titania.

In Other News
Load More