For weeks we’ve been reading report after report describing the continuing efforts by China and Russia to target, infiltrate, gain accessand, in some cases, plant malware on vulnerable U.S. critical infrastructure networks and communication systems. The malware the hackers planted is assumed to be used for disruptive cyberattacks in the case of a major conflict with theUS.

The severity and critical nature of these attacks has been largely ignored by the two presidential candidates, being overshadowed by other inflammatory issues.

This may prove to be an enormous misstep. 

While the FBI and CISA work to investigate and mitigate the impact of the known intrusions, the unknown intrusions should be extremely concerning. Here’s what we do know.

Flax, Volt and Salt          

The first Chinese state-sponsored attacks have been focused on compromising hundreds of thousands of routers and “Internet of Things”devices (like cameras, video recorders and storage devices). Once compromised the attackers used the devices to create a “botnet” to find more devices. This group is known as Flax Typhoon.

The majority of the devices Flax Typhoon targeted have aged beyond their end-of-life dates, making them more vulnerable to intrusion. Even though the devices may still be supported by vendors, administrators and end-users often fail to keep up with the software and security patches needed to prevent infiltration.

Based on reporting from Cyberscoop,“researchers with Black Lotus Labs detailed a series of campaigns carried out by the botnet — which they call Raptor Train — over the past four years,including those that targeted military, government, telecommunications and defense industry entities in the U.S. and Taiwan.”

Using an application called “Sparrow”, the attackers have the ability to scale the exploitation of the botnet. This means that once the attackers have taken over a device, they have the ability to remotely access the device, up and download data, and actually can remotely run commands on the devices.

Aside from the “normal” espionage and IP theft, U.S.officials report that similar Chinese hacking operations have penetrated some of the most sensitive critical infrastructure that holds little to no military value. This is the true cause for concern.

Volt Typhoon’s activity was primarily targeting privately-owned, small office/home office (SOHO) routers (such as Netgear) that are either at the end of life, not regularly updated or are located in remote or difficult locations to monitor and update.

If you have internet at home, you likely have a router.Whether it’s part of your internet provider’s equipment package or aself-purchased WiFi router, these devices are prime targets. Many owners believe their devices are “set it and forget it,” rarely making updates to the firmware/software, let alone changing the default admin login credentials. You can easily Google “Netgear router login password” and find the defaultcredentials for Netgear routers.

There are potentially millions of devices fitting this description, with the number of known compromised devices in the hundreds of thousands. What does this mean?

If you aren’t keeping your internet devices updated with the latest software and security patches, someone, somewhere may be monitoring the activity on your Ring doorbell.

Finally, Salt Typhoon.  Perhaps one of the more audacious breaches in history targeted a very sensitive, yet lucrative, source of information: cellular and internet providers. The Chinese team, Salt Typhoon gained access to internet titans like AT&T and Verizon; there is some consensus among security professionals, that the attackers knew there was a pot of gold to be found -- access to the systems that the FBI uses forcourt-authorized network wiretapping requests.

In other words, they wiretapped the wiretappers.

What’s remarkable about this breach is the specific targeting of these systems. Salt Typhoon’s methods are very different from those of Flax or Volt Typhoon. While the latter took a shotgun approach, Salt Typhoon had a highly specific target. They are crafty, cunning, and seem to understand the inner workings of U.S. government operations.

What’s not so remarkable? The amount of time they were in these systems. Forensic teams believe the attackers were in these systems for months without detection. This means Salt Typhoon was able to gather intelligence on U.S. law enforcement operations, day-to-day conversations ofU.S. citizens, and possibly even install Trojan Horses that could disable communication systems.

There is a failure somewhere.

Sysadmins, CISOs, network engineers need to be more diligent in their administration, management and maintenance of these systems.

That’s easy to say, but harder to implement. These people are intelligent, hard-working, and want to ensure their systems are secure. No one cares more than these folks about breach occurring. The problem is time. Managing day-to-day operations, putting out fires, managing projects with limited resources— the list goes on. Burnout is common in these roles, and stress levels are high.

However, there’s another failure that needs addressing.

Let me give you an example. We’ve been called in to rescue a number of businesses hit by ransomware. In almost all cases, the networks, systems, and policies were not designed with security in mind. Some of the businesses just pieced together what was needed to get themselves online, with no regard to cyber hygiene. Other businesses may have had a awareness of cyber security, but didn't know what to do first, so it wasn't prioritized. And finally, a few businesses did care about security, however they implemented a "101" version of hardening.

Different reasons for their collective predicaments. However, all of the businesses seemed to be oddly complacent. This complacency could stem from how the old internet worked. Prior to the late 2010's, owners and C-levels heard stories about breaches occurring at other companies and the threats were mostly viruses spread via email, (not by state-sponsored cyber attacks).

In all fairness, during that time period, hacks that actually disrupted business operations were fairly uncommon (hacks that disrupted critical infrastructure were unheard of). Of course, you can't blame the leadership in those businesses who didn’t see the urgency or importance for budgeting for cyber security. Regardless of today's current headlines, it's not surprising that this mindset still exists.

It's because it rarely gets challenged

Critical infrastructure is critical.

Up until the 21st century, U.S. critical infrastructure was fairly isolated from foreign threats. Access required being physically onsite, and security meant fences,gated access, and CCTV. These measures made sense then— and still do.

Physical security is tangible, making it quantifiable andbudgeable. You can see the barbed wire and guard shacks. For centuries,protecting the castle with moats and battlements was common sense. But that was before the internet.

The best protected infrastructure now can be infiltrated. The internet is one giant door to the world. The internet has given us the ability to chat with people who live on the other side of the world using social media.It also has given attackers the similar ability to attack internet connecteddevices, anywhere in the world.

Trans-national internet connectivity isn’t breaking news; it was one of the great promises of the internet. Yet ransomware and hacking still catch people by surprise (please don’t be one of those people who thinks,“There’s no way anyone would bother with my business”— sadly, you’re wrong).Any critical infrastructure connected to the internet should be fortified. Any business with an internet-connected computer network should have basic security measures in place.

Yes, the Cybersecurity Maturity Model Certification(CMMC) is a step forward. The CMMC is intended to ensure that the systems used by contractors of the United States Department of Defense which are used to process, transmit or store sensitive data, are compliant with mandatory IT security requirements. However, it is now 2024 (almost ’25) andc ompliance is still in its implementation phase. It seems that we are playing catchup. Were there no red flags to warn us that adversaries could infiltrate and shut down our most important systems?

Stuxnet, a brave new world.

In 2010, when it was discovered that the CIA released Stuxnet(a malware program designed to damage critical infrastructure to cripple Iran’s nuclear program) it opened a Pandora’s Box.

The US instigated a cyber-attack. Suddenly the seal was broken.

Advisories took notice and thought, “If the US can do it, we can too”.

Looking back at the moment of Stuxnet’s inception, should there have been a parallel program to harden critical infrastructure within the United States? Hindsight may be 20/20, however everyone involved with the development of the malware program knew what it meant. We better be prepared for blowback.  

By taking close to 20 years to start to address the risk exposure found in our critical infrastructure and communication systems we let the fox into the hen house.  

We live in a new world where security must take precedence over convenience. Yes, two-factor authentication is a pain. Yes, changing your password is a hassle. Yes, using an alphanumeric password of at least eight characters is inconvenient. Yes, budgeting the Capex to build a secure environment means a vanity project gets put on hold. But these are pains of convenience. Take an aspirin and move on.

In many cases, there is no recovery from security breaches.Ransomware attacks have caused many businesses to close their doors. Imagine ifa power plant or the water supply for a major metropolitan area were crippled.What if multiple water supplies were attacked across the country? 

In that scenario, an aspirin won’t help. It would require an ambulance trip to the ER for open-heart surgery. If that happens, let’s hope the patient learns the lesson— start taking care of your house.