America's enemies targeting US critical infrastructure should be 'wake-up call'

Having China, Russia, and Iran routinely rummaging around is cause for concern, says ex-NSA man

RSAC Digital intruders from China, Russia, and Iran breaking into US water systems this year should be a "wake-up call," according to former National Security Agency cyber boss Rob Joyce.

"None of that was significantly consequential," Joyce explained during the NSA's annual State of the Hack panel at RSA Conference on Wednesday. Nonetheless, "that those countries had hackers to combat our critical infrastructure should be a wake-up call. And that there are people out there who, when there's global tensions, feel that their role is to pick up cyber arms."

In the case of Russia and Iran-linked cyber thugs, the gangs doing the breaking in were hacktivists, as opposed to state-sponsored crews. The feds, meanwhile, have flat-out blamed the Chinese government for the recent Volt Typhoon activity spotted on critical infrastructure systems.

In addition to pushing their own political agenda, these hacktivists may have direct links to government intelligence services.

Mandiant, for example, recently tied a series of cyberattacks on US and European water plants to Sandworm, which works for Russia's GRU military intelligence. A crew calling itself CyberArmyofRussia_Reborn had claimed to be behind the water system intrusions.

But according to Mandiant, Sandworm operates this and a series of other Telegram channels to get attention for its malicious endeavors and to make it look like some kind of independent hacktivist effort.

"You get the added specter of sometimes the nation state intelligence services are wrapping themselves in the cloak of anonymity of the hacktivists to go out and give it a nudge even further," Joyce told the RSA Conference. "It's scary to watch."

And while there's been "no consequential impact" to date from these break-ins, "at some point, somebody's going to land in a place, in critical infrastructure, that's going to matter," Joyce added. 

"I don't think they're doing the assessment of how significant that attack will be," he opined. "We could see somebody tip the scale by overachieving in one of these attacks without understanding the implications."

This also shows how cyberattacks can easily turn physical, noted current NSA cybersecurity director Dave Luber. In the case of the Texas water facility, the attack caused a tank to overflow – still a smaller-scale activity in terms of potential water plant attacks.

But "you can use your imagination on where some of those physical manifestations can occur," Luber suggested. 

If you have no imagination, here's a scenario that your humble vulture discussed with some unnamed execs at an RSAC cocktail party. Imagine one of these water and wastewater attacks targeting sewage systems and causing them to back up into people's homes – resulting in literally shitty situations all around. We're told this is well within the realm of the possible.

Show of hands: who didn't attack critical orgs this year?

All of this, however, also highlights the difficulty in securing critical infrastructure – which has been a very hot topic of discussion at RSA Conference this year.

Many critical infrastructure sectors – including water and wastewater, healthcare and public health, and government facilities, especially at the state and local level – are historically under-funded and poorly secured. Many smaller municipal water plants, for example, don't have a dedicated security team, and there's often a disconnect between the OT and IT side of the business.

Plus risky OT system behavior – such as using default passwords, not turning on multi-factor authentication, and exposing critical OT devices to the public-facing internet – continues to plague owners and operators.

The most immediate threat to American infrastructure comes from Volt Typhoon, and this particular Beijing-backed crew has come up in nearly every discussion and several panels this week – including a Tuesday keynote with past and present CISA directors Chris Krebs and Jen Easterly.

While US cyber spies have been tracking PRC snoops for years now, Volt Typhoon is different because its intent is not espionage or data theft.

"What's different about Volt Typhoon is the placement, access into our critical infrastructure for the purpose of computer network attack at a time when they choose," Luber observed, "with the intent to cause societal panic, and with the intent to also have some of the impacts of cyber to physical. This is a major concern."

The crew is "stealthy and hard to find," as Joyce noted, because it uses so-called living-off-the-land techniques: things like legitimate software tools and credentials, which allow the intruders to avoid detection and snoop around for years before being detected.

This has given Volt Typhoon plenty of time to get a better understanding of critical infrastructure network topology, and figure out what it can do to best disrupt business functions if and when it chooses to do so.

In the meantime, the hackers deploy backdoors to ensure access and persistence, and "come in every 15, 30, 90 days and just touch those accounts to verify they can still get in. And that's really quiet activity, especially if they are using legitimate credentials," Joyce explained.

Luber warned that critical orgs may need to rethink their log management and retention policies, and implement stronger identity and access management policies. ®

More about


Send us news

Other stories you might like