Volt Typhoon: Keep Calm and Carry On
PLUS: VPNs Sliced in Cyber Knife Fight
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Thinkst.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
The US is grappling with Chinese cyber actors who appear to be building the capability to disrupt critical infrastructure during a potential military conflict.
In late-breaking news, the US agencies responsible for cyber security and critical infrastructure have released an advisory about the group known as Volt Typhoon.
The advisory states [emphasis added]:
The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organisations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behaviour is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
Volt Typhoon was a major topic of discussion at a US House Committee hearing last week.
CISA director Jen Easterly told the hearing "we've seen Chinese cyber actors, including those known as Volt Typhoon, burrowing deep into our critical infrastructure to enable destructive attacks in the event of a major crisis or conflict".
She emphasised that this threat was "not theoretical" and that "CISA teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, [and] transportation".
Easterly described these confirmed discoveries as "likely just the tip of the iceberg".
The US government has already started taking practical steps to deal with the threat. On 31 January, the day before the hearing, the US Department of Justice announced it had disrupted what is known as the 'KV botnet'. This botnet, which we wrote about last month, comprises end-of-life small office/home office (SOHO) routers and was being used by Volt Typhoon for command and control.
This operation was limited to the US-based parts of the botnet, and the Justice Department's press release also states its actions were "temporary in nature". An owner restarting a router would make it vulnerable to reinfection.
But despite these limitations, this operation—coupled with private sector action—appears to have had a real impact. Lumen Technologies also sinkholed the IP addresses used by the KV botnet's infrastructure, and the company's Black Lotus Labs thinks that the KV portion of the botnet is "no longer effectively active". (The botnet has two clusters, 'KV' and 'JDY': the JDY cluster is degraded but still operating.)
Beyond disrupting this botnet, there are, at least in theory, many actions an organisation like Cyber Command could take in response to PRC groups targeting US critical infrastructure. These could include compromising Volt Typhoon itself; targeting Chinese military systems for potential disruption; or even responding in kind by compromising Chinese critical infrastructure to be able to disrupt it in a time of crisis.
Dr Michael Mazarr, a deterrence expert at RAND, told Seriously Risky Business that, if you intended to deter the PRC, these types of cyber operations were subject to a "reveal/conceal dynamic".
The question here, he said, was "you may have a certain capability, but when do you let them [the PRC] know that you have that capability?"
"You'd want them to know to deter them, but obviously in the cyber realm, by conveying certain things, you tip them off so they go looking for it and now you don't have it [that capability] anymore."
"So that's just a constant dilemma."
Many of the options we've listed would seem to be useful should conflict occur, but not in preventing conflict in the first place.
In his testimony to the hearing, General Paul Nakasone, the Director of NSA and US Cyber Command, was not focused so much on deterring PRC cyber actors as on "persistently engaging them". This involves using the "full spectrum of our capabilities to impose costs, deny benefits, and encourage restraint on the part of the adversary", he said.
It's important to keep in mind this is all about Taiwan and that disrupting US critical infrastructure isn't an end in itself for the PRC. It is a supporting capability for potential military action against Taiwan.
And there are many ways, including diplomatic, military and economic measures, that the US could try to deter Chinese military action in the Taiwan Strait. If these types of deterrence are successful, Volt Typhoon's presence in US critical infrastructure is likely moot.
Despite that, there is still a cyber-related element to deterring Chinese action.
Mazarr told us "deterrence often fails when one side, one leader, one military thinks it has a scheme to avoid escalation, bigger costs, long wars".
This meant making sure China did not think "it has some sort of magical off switch that can prevent the US from marshalling large numbers of forces for, say [hypothetically], four weeks".
To that end, the KV botnet disruption operation and this week's cyber security advisory covering Volt Typhoon are huge wins. And there are certainly many ways Cyber Command could make Volt Typhoon's life difficult and undermine the PRC’s confidence that the group could effectively disrupt US critical infrastructure.
When it comes to communicating the risk to the public, however, the dynamic Mazarr describes poses a bit of a dilemma.
For language aimed at critical infrastructure operators and lawmakers, officials need to emphasise the threat to generate urgency and encourage action. But at the same time, you'd ideally like the PRC to think that threats to US critical infrastructure are no big deal.
In the hearing Easterly was clearly speaking to the domestic audience. She mentioned the potential for "disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes all to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will".
Fortunately, Mazarr is sceptical that foreign governments pay all that much attention to the language used in congressional testimony.
"I don't think they would put much store in those kinds of public comments at all".
VPNs Wounded in Cyber Knife Fight
On Wednesday last week, the US Cybersecurity and Infrastructure Agency (CISA) issued an emergency directive for federal agencies to "disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure" products from their networks.
This is a CISA first, but we suspect it will not be the last time the agency directs network defenders to take what once would have been considered drastic and expensive remediation work.
In mid-January we covered the discovery of two 0days that could be used in concert to remotely compromise Ivanti Connect Secure VPN devices. After the publication of security advisories and information about the compromise, the actor responsible (called UTA0178 by security firm Volexity, which thinks it is likely a PRC cyber espionage group) shifted from quiet and relatively slow operations to widespread exploitation.
Since then, Ivanti and UTA0178 have been in a 'cyber knife fight', in which a series of defensive steps from Ivanti have been countered by the attacker. Ivanti's actions included the release of mitigations, integrity checking tools and patches. UTA0178 countered with bypasses for Ivanti's mitigations and integrity checking tools, and also with a variety of webshells and backdoors.
Other groups also joined in the fun after proof-of-concept code was published. Risky Business News has a good blow-by-blow of these events, including the discovery of two more vulnerabilities by Ivanti, one of which was being exploited.
On this week's Risky Business podcast, Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity, expanded on the reasons the organisation directed agencies to disconnect the devices.
"This was necessary given the degree of targeting and compromise around the world of the now three exploited vulnerabilities affecting these appliances", he said.
"Every organisation running these devices absolutely needs to assume targeting and assume compromise."
After disconnecting the devices, CISA's directive says that to return them to service, agencies must factory reset and rebuild the devices, upgrade them to a supported version and revoke and reissue certificates, keys and passwords.
Even worse, however, CISA says that "agencies running the affected products must assume domain accounts associated with the affected products have been compromised". CISA tells agencies to reset passwords, revoke Kerberos tickets and revoke cloud tokens.
Goldstein also indicated these kinds of robust directives would be used again if necessary.
"It is certainly the new normal that these sorts of edge devices are being targeted to extraordinary extent by APT actors... And so where we see targeting of this kind of device to this degree, this is absolutely the sort of action that we will direct where needed to drive the right level of urgency and response"
Goldstein is right when he talks about a "new normal". This is not the first time PRC-linked actors have operated so aggressively that defenders have been told to decommission devices.
In mid-2023, a group compromising Barracuda Email Security Gateways deployed additional persistence mechanisms once its activities were discovered. These actions aimed to make eviction difficult, and Barracuda ultimately recommended that its devices be replaced because it could not guarantee permanent removal of the group’s malware.
This also reminds us of the 2021 espionage campaign targeting Microsoft Exchange servers. The campaign was initially quiet but, we wrote at the time, "exploded into a frenzy of indiscriminate exploitation" in the days prior to Microsoft releasing a patch.
Aggressive exploitation is bad news, but we wonder if it will ultimately encourage vendors to make more secure products? After all, who is going to buy products that regularly get compromised and require time consuming remediation work?
Three Reasons to Be Cheerful This Week:
- FTC actions against data brokers on firmer ground: A US federal judge has ruled that the Federal Trade Commission's enforcement action against data broker Kochava could proceed. The judge's opinion says Kochava selling "highly granular" personal information could invade consumers’ privacy and expose them to significant risks of secondary harm. This means that the actual practice of selling people's geolocation data will be examined in court to see if it is unfair to consumers.
- US law firm Dechert pays to settle hacking claim: a US aviation executive, Farhad Azima, will receive more than £3m from Dechert to settle allegations that the firm hired Indian hack-for-hire firms to steal information from Azima for use in a lawsuit against him.
- Visa restrictions for commercial spyware peeps: The US government has announced that it will place visa restrictions on people involved with the misuse of commercial spyware. It is a relatively broad policy and could apply to developers at these companies and also covers immediate family such as spouses and children. Risky Business News has more coverage.
Sponsor Section
In this Risky Business News sponsor interview Tom Uren talks to Haroon Meer of Thinkst Canary. They discuss how network attackers win, how their tactics have changed over time and what this means for network defenders.
Shorts
The Hack-for-Hire Streisand Effect
Wired's Andy Greenberg describes the backlash against a legal campaign to get articles about the Indian hack-for-hire industry taken down.
In November last year, Reuters published an article about India's hack-for-hire industry. Legal action in India resulted in the piece being 'temporarily removed', in Reuters' words, and it is fighting the injunction in the Indian courts.
This injunction was then leveraged in legal threats to get other publications to remove references to the Reuters article.
An array of organisations, however, are fighting back against this legal strategy. Despite legal threats, investigative news non-profit MuckRock is still hosting the source documents used by Reuters' reporters and tech blog TechDirt has resisted demands to take down its articles. An anti-secrecy non-profit has also republished Reuters' original article.
Midnight Blizzard Attack Path
Andy Robbins at SpecterOps has published a reconstruction of the method Russian hackers known as Midnight Blizzard used to compromise Microsoft email accounts recently (disclosure: SpecterOps are a Risky Business sponsor).
Patrick Gray and Adam Boileau discuss this in this week's Risky Business podcast at 11:40.
Ransomware Again a Growing Problem
Blockchain analysis company Chainalysis has reported that cryptocurrency ransomware payments exceed USD$1bn in 2023. This is a new high, after 2022 saw 'only' USD$567m in payments.
This is partly attributable to the Russian invasion of Ukraine, but the Chainalysis report also examines the impact of the FBI's Hive disruption operation and takedown. In this operation the FBI gained access to Hive's IT infrastructure and, for months, provided decryption keys to victims affected by the ransomware. This directly prevented USD$130m in payments, but Chainalysis reckons it might also have had broader systemic effects that saw about USD$200m of payments averted.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about what up and coming countries should expect from a cyber command and whether they should invest in them.
From Risky Biz News:
Two Iranian cyber groups get doxed in a week: The identities of two Iranian cyber groups have been exposed over the course of seven days last week.
The US government linked the Cyber Av3ngers group to six individuals working for the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), while a report from Iran International linked the Black Shadow group to an Iranian IT company named "Raahkarha-ye Fanavari-e Etela'at-e Jahatpardaz" (or Jahatpardaz Information Technology Solutions).
The "doxing" events come as Iranian cyber activity entered a new and more aggressive stage after Iran-backed Hezbollah attacked Israeli territories on October 7 last year. [more on Risky Business News]
EU commits to not pay ransoms: During a visit to Washington this week, EU Commissioner Thierry Breton formally committed the EU and its 27 member states to the Counter Ransomware Initiative. As part of this project, member states have pledged not to pay ransoms to cyber criminals. More than 50 countries across the world pledged to support the project, although none have passed laws officially banning ransom payments yet.
Pig-butchering leaders arrested: Chinese officials have arrested ten Myanmar nationals who allegedly operated large-scale cyber scam centres in Myanmar's northern Kokang region. The suspects were detained after China issued an international arrest warrant in their names at the start of December last year. All ten are believed to have had leadership roles in running the scam centres, and some were also members of the Kokang Border Guard Force. The suspects were handed over to Chinese authorities on January 30.