As military conflicts cause devastating real-world harm in the physical realm, the governments of Ukraine and Israel are battling escalating cyber harms from nation-state and non-state threat actors. Against this backdrop, the US government is increasingly alarmed about China and its capabilities of slipping into active cyberwarfare mode.
At this year’s Cyberwarcon, top government and industry experts gathered to examine the complex, multi-theater arenas in which known and emerging cyberattacks and digital threats are arising amid unpredictable wartime conflicts. Emerging from these talks are signs of Russian cyber aggression growing more destructive, a still-fluid landscape of disinformation and digital disruption in the Middle East, and the prospect that the ongoing and hard-to-spot infiltration of US critical infrastructure by Chinese hackers could be laying the groundwork for dangerous actions ahead.
China’s capacity for destructive threats looms large
Although China is best known for using its vast cyber skills to engage in intellectual property theft and espionage, it’s not comforting that a Chinese law passed in 2021 forces tech companies operating in the country to report the discovery of hackable flaws to a National Vulnerability Database within 48 hours of their discovery before a patch is available. The new law comes with a host of restrictions on what security researchers can say about the flaws they discover, likely leading to a secret stockpile of zero-day flaws that can be shared with China’s Ministry of State Security, which oversees the country’s state-sponsored hacking operations.
Speaking at Cyberwarcon, Dakota Cary, a nonresident fellow at the Atlantic Council’s Global China Hub, and Kristin Del Rosso, public sector field CTO for Sophos, walked through their research on the functioning and implications of the new flaw. “I think a few people are starting to understand the severity of this,” Del Rosso said.
This zero-day stockpiling has led to “an uptick in the amount of Chinese use of zero-day vulnerabilities to get into US critical infrastructure,” Morgan M. Adamski, director of NSA’s Cybersecurity Collaboration Center, said at the event. In urging the industry to collaborate with her agency on China, Adamski warned that “the PRC has significant resources. The US government has come out and said that their resources outnumber the US and all of our allies combined.”
China’s ability to evade detection and attribution is a critical factor in why the US government has stepped up its efforts to educate the industry about the cyber dangers China poses. “One of the main concerns that we have is that the PRC continues to use US domesticated infrastructure to hide their activities and evade detection by government and industry,” Adamski said. “They’re using a large number of covert infrastructure and networks to gain access into US critical infrastructure.”
China’s penetration of US critical infrastructure is a long-term proposition. It is, Adamski said, “prepositioning with the intent to quietly burrow into critical networks for the long haul.”
One technique China, specifically the threat group known as Volt Typhoon, is using to burrow into US networks is living off-the-land or using existing, ordinary products that threat actors use to evade detection better, Josh Zaritsky, the chief operations officer of the NSA’s Cybersecurity Collaboration Center, said. “They want to maintain deniability that they did anything, even if they do get caught. So, by leveraging the things already in the environment, there’s not as much to go on with this actor.”
Regarding Volt Typhoon, “We have not seen signs of computer attacks,” Mark Parsons, principal threat intelligence analyst at Microsoft’s Threat Intelligence Center, said. “We know that’s always the impression. We have not seen signs of that so far, but it’s something we’re obviously looking out for. We have observed [Volt Typhoon] spending a lot of time wanting to maintain persistence inside networks. They’re doing lots of things to try to maintain that persistence, and they are in it for the long haul.”
Despite the lack of active attacks, the Volt Typhoon group could be positioning itself for destructive attacks. “We think there’s an element in its for destruction or disruption,” Judy Ng, senior threat intelligence analyst with Microsoft Threat Intelligence, said.
Russia’s attacks on Ukraine are destructive and ongoing
Volt Typhoon isn’t the only nation-state threat actor that uses living off the land to obfuscate its activities. At Cyberwarcon, John Wolfram, senior analyst on Mandiant’s Advanced Practices team, and Mike Worley, senior analyst on Mandiant’s Cyber-Physical Threat team, delved into the details of Mandiant’s bombshell report on Russia’s Sandworm group, which cybersecurity researchers have tied to Russia’s GRU Military Unit 74455.
That report revealed how, in late 2022, Sandworm caused a blackout for Ukrainian citizens by targeting a power utility that coincided with mass missile strikes on critical infrastructure across Ukraine, highlighting the growing maturity of Russia’s offensive operational technology arsenal. Specifically, Sandworm targeted a component of Hitachi Energy’s MicroSCADA, which substations in over 10,000 substations use in over 70 countries, monitoring the power supply to about 10% of the world’s population, Worley said.
“Living off the land is one of the key components to their operations,” Wolfram said. “What’s really interesting about how they put it together is they often will masquerade as a legitimate system service and time stop it to match legitimate services.”
“Since the beginning of the full-scale invasion, the adversary was focused primarily on destroying systems, erasing data, etc.,” Victor Zhora, who leads Ukraine’s cyber-related efforts, said. “There have been plenty of cyberattacks combined with physical strikes and short blackouts in different regions, and it’s a matter of discussion whether they are caused by cyber or physical attacks.”
Russia has already begun to deploy some of the same tactics in the Hamas-Israel war that it has used in Ukraine, including DDoS attacks and infiltrating CCTV cameras, Zhora said. “We expected that these would be spread beyond territories of Ukraine, spread to other countries, not just focusing on some commercial organizations or governmental enemies of our allies.”
Hamas war threat actors caught off-guard
Israel is the latest nation to get swept up in war-related threat actor attacks. However, the scene surrounding its war with Hamas is complicated by the unexpected and sudden outbreak of hostilities in early October and the inclusion of non-state political actors as adversaries. The top three cyber-related threats in the Hamas-Israel war so far are demoralization, disinformation, and disruption, Yuri Rozhansky, Research Manager at Mandiant, and Ben Read, director of Mandiant Threat Intelligence’s cyber espionage analysis team, said.
“The demoralization is obviously very big within the disinformation operations and the disinformation more broadly catching up after as people were caught off guard attack and then move to espionage has been always been going on,” Read said. “The mix of them has changed since the outbreak of the Hamas war. The security community has really stepped up to try to defend networks and secure everybody who is under threat.”
For the most part, the efforts by Palestinian threat actors, who are primarily associated with Hamas, to demoralize Israel or spread disinformation have failed. “We have seen a lot of activities against Israeli targets. What’s interesting is that they were mostly unsuccessful. There were claims that [some websites] were down, but I think most of the sites were up 98% of the time,” Read said.
The poor performance of pro-Hamas cyber actors is likely due to the lack of resources. Read pointed out that Gaza is not operating well, and it’s also possible that individuals who were working on cyber efforts before the war were called to active military duty. “These aren’t groups with access to a ton of sophisticated resources, but they’ve got time, and there’s a proliferation of them,” he said.
One nation-state that has intervened in the war is Iran. “Privately, we’ve seen a lot of Iran’s Ministry of Intelligence and Security (MOIS) and Islamic Revolutionary Guard Corps (IRGC) targeting organizations as the conflict grows,” Simeon Kakpovi, senior threat intelligence analyst in Microsoft’s Threat Intelligence Center,” said.
“On the ministry side, we’ve seen at least nine active actors. On the IRGC side, we have seen at least seven active groups relative to the conflict,” Kakpovi said. But, he added, “We have no evidence that the Iranian threat actors were actually prepared for these attacks. Mostly, what we’ve seen is Iranian threat actors took the access and the capabilities that they already had and tried to make the most of it. They were mostly reactive.”