Post

Defending US Critical Infrastructure

Defending US Critical Infrastructure

US infrastructure across energy, communications, transportation, waste, and water systems is increasingly vulnerable to cyberattacks. This is a result of both the growing sophistication of cyber threats and the integration of new technologies into these critical systems (historically, infrastructure was less interconnected and more isolated). With the integration of digital technologies these systems have become more interconnected, making them more efficient but also more vulnerable. We have all seen reports showing a significant increase in the complexity and frequency of cyberattacks (ex. +140% in 2022). Adversaries, namely state actors like China, have developed advanced capabilities such as sophisticated malware, ransomware, and social engineering tactics specifically designed to exploit vulnerabilities across these systems. And, these attacks are designed not just for sudden disruption, but also for IP theft, espionage, and long-term access for future attacks. Some of the most notable examples in recent history include:

1. Ukrainian Power Grid Attack (2015): hackers, believed to be Russian, successfully infiltrated Ukraine’s power grid, causing widespread power outages.
2. SolarWinds Hack (2020): a sophisticated supply chain attack, believed to be carried out by Russian hackers, compromised the SolarWinds Orion software. This breach affected numerous U.S. government agencies and thousands of private sector companies.
3. Colonial Pipeline Ransomware Attack (2021): The Colonial Pipeline supplies nearly half the fuel to the East Coast. This attack, attributed to a criminal group, led to major fuel supply disruptions.
4. Chinese espionage and IP theft (ongoing): China has been implicated in various incidents involving espionage and intellectual property theft, targeting US companies and infrastructure. These operations often use sophisticated malware and social engineering to infiltrate networks, aiming for long-term access and data exfiltration.
5. Ransomware attacks on hospital systems (ongoing): we’ve written about this previously – there has been an increase in ransomware attacks targeting hospitals and healthcare systems, severely disrupting services.

This week, the Cybersecurity & Infrastructure Security Agency released a report warning that a wave of attacks is on the horizon and have been in the works for some time:

The People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States… Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors…

The Volt Typhoon cyber espionage initiative, linked to the Chinese government (also known as Vanguard Panda), has emerged as a critical threat. Unveiled in May 2023, their campaign has been meticulously targeting vital US infrastructure sectors, including telecommunications and transportation, hinting at a broader strategy that could be mobilized in times of geopolitical tension. The primary aim of Volt Typhoon is to clandestinely gather intelligence on American critical infrastructure and military prowess, and this has also raised concerns over potential future assaults on these essential services. Volt Typhoon has been using a litany of novel techniques, such as the strategic deployment of a botnet, comprising numerous small office/home office (SOHO) routers within the US, commandeered through the “KV Botnet” malware. This network of infected routers obscured the trail back to the campaign’s hacking endeavors aimed at both US and international critical infrastructure. The campaign’s tactics, including the exploitation of legitimate system tools and accounts, have made it particularly challenging to detect and neutralize. Law enforcement agencies, including the DOJ and the FBI, intervened in December 2023, purged the malware from the affected routers and implementing measures to thwart future infections. Notably, the compromised routers were predominantly outdated models from Cisco and Netgear, lacking current security updates. LOTL (living off the land) techniques have become a trademark of Volt Typhoon:

…living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.

The group has recently been observed to initiate its attacks by targeting specific internet-connected devices. Last year, they exploited vulnerabilities in internet-facing Fortinet FortiGuard devices to gain entry into networks. Once inside, they leverage this access to penetrate deeper into the system. A key focus for Volt Typhoon is the theft of login credentials (a common technique). For example, they’ve accessed critical components of the Windows operating system responsible for security and employ specialized tools to extract usernames and passwords from network domain controllers. In addition to stealing credentials, they concentrate on gathering data about the network and connected systems. They collect this information from web browsers and organize it into secure files for extraction, using common system tools. To maintain control over compromised systems, Volt Typhoon sets up hidden control points within these systems using custom tools, allowing them to remotely commandeer these systems. Then, to conceal their activities, they route their network traffic through compromised routers in small offices or homes, making it difficult to trace their actions back to them. Furthermore, the group adeptly blends into the target environment by using tools and commands native to the victim’s system, including the deployment of proxy tools.

These attacks are not going away, especially amidst the laundry list of geopolitical tensions brewing across the globe which we have discussed several times. The challenge of defending companies against cyber threats like Volt Typhoon will require numerous advanced software capabilities, and for critical infrastructure providers to adapt their defense with them. Many of these areas have continued to develop over the past several years and are hardly “emerging areas” given how many entrants there now are. We’ve met with many, but are still seeing new product innovation, especially leveraging the latest in AI/ML. And, companies are taking these threats much more seriously than they were years ago. One key area is the development of advanced threat detection systems (many companies have emerged in this space), which leverage AI/ML to identify unusual patterns and emerging threats in real time. Connected to this is the need for enhanced firewalls and intrusion prevention systems capable of adapting to new threats by automatically updating their rules and filters based on the latest threat intelligence. Further strengthening the security chain are robust endpoint protection solutions. These are essential in safeguarding against various forms of malware, extending their protective umbrella across all devices, including mobile and IoT devices, which are often the most vulnerable. Additionally, sophisticated network traffic analysis tools that delve deep into network activities, employ AI to scrutinize patterns and flag any irregularities that might indicate a breach. Identity and Access Management (IAM) solutions go beyond traditional security measures by incorporating advanced features like biometrics and behavioral analytics, ensuring that system access is strictly limited to authorized personnel. In parallel, the protection of data, both at rest and in transit, is paramount. In the broader context of organizational security, Security Information and Event Management (SIEM) systems play a pivotal role because they analyze data from various sources within the organization to create a comprehensive picture of its security posture. This holistic view is crucial for a timely response to security incidents. Also, the human factor in cybersecurity presents a major soft spot for attackers, hence the importance of phishing detection and training tools. Lastly, we’ve also been seeing opportunities emerge to address what happens when an incident does occur because facilities like water treatment plants have very little margin to pause operations. New types of failover systems will be essential to ensure continuous operations during both unplanned and planned downtime.

As mentioned above, this domain has seen a rush of entrants over the past several years. What has changed, however, are new capabilities built on the back of rapidly improving AI capabilities and a growing appetite by organizations (large and small) to upgrade their security infrastructure. We are very interested in founders building capabilities which can proactively adapt and act on the evolving threat landscape addressed above, and this is where we see AI delivering significant upside to existing capabilities, such as with AI security agents. For example, in Automated Incident Response, new products are coming to market to streamline decision-making, such as initiating containment swiftly to mitigate impact. And as adversaries also adopt AI, Adversarial ML becomes essential in understanding and countering AI exploitations. Additionally, Zero Trust Architecture, which has been around for many years, has seen a surge in adoption with 55% of organizations having a zero-trust initiative in place as of ’22 vs. 24% in ’21.

Escalating cyber threats targeting US infrastructure underscore the urgency for a multifaceted approach to cybersecurity, and updated data infrastructure to handle incidents when they do occur. These attacks will continue, and staying ahead of the latest techniques will only become more challenging for cybersecurity teams, data infrastructure providers, and government agencies. The future of US infrastructure security hinges on companies’ ability to proactively defend their systems with the help of novel products from the areas we’ve outlined above.

Back to Posts