You expect food, utilities, healthcare, and essential products and services to be readily available. Even a short lapse in any of these creates panic as your standard of living takes a hit. Yet we are experiencing these lapses in increasing frequency and severity, not due to the weather, mechanical failures, scarcity of resources, or a lack of hospitals, treatments, or healthcare professionals. They are due to nation-states and threat actors creating targeted, manufactured disruptions and disasters—attacks on our critical national infrastructure (CNI).
According to the U.S. Department of Homeland Security (DHS) 2025 Homeland Threat Assessment, DHS expects the People’s Republic of China, Russia, and Iran to remain the most pressing foreign threats to U.S. CNI. These nation-states will work to disrupt U.S. services and conduct espionage, accessing U.S. networks and critical infrastructure entities.
The Chinese state-sponsored cybergroup Volt Typhoon has an increasingly destructive attitude toward Western critical infrastructure sectors, said Craig Watt, threat intelligence consultant at Quorum Cyber, a global cybersecurity company. According to Watt, Volt Typhoon is pre-positioning Chinese hackers inside Western networks, likely to prepare for hostile engagements against the U.S. and to disrupt communications infrastructure between Washington D.C. and East Asia during a crisis.
According to several news sources, China recently ran military drills near Taiwan. The nation-state maintains the island-nation is Chinese territory. Volt Typhoon has targeted U.S. critical infrastructure, including communications systems. The cyberattacks could disrupt U.S. communications and hinder its ability to respond during a crisis in East Asia, such as a conflict with China over Taiwan.
Russia’s cyber Unit 29155 has recently expanded its tactics to include espionage, hack and leak operations, and cyber-sabotage against critical infrastructure networks, according to Watt. The objective is disrupting Western support for Ukraine and bolstering Moscow’s military efforts in Eastern Europe, Watt said.
According to a U.S. Justice Department media release, in 2020, Unit 29155 exfiltrated data from Ukrainian government systems and leaked it, posing as a fictitious hacktivist group, to cause reputational damage to the Ukrainian government.
According to a global joint cybersecurity advisory, in 2022, as part of its attack tactics, techniques, and procedures (TTPs), Unit 29155 deployed the WhisperGate wiper malware against Ukrainian organizations, targeting government agencies and critical infrastructure sectors, including energy and transportation systems.
According to Watt, WhisperGate destroys (erases) the data the threat actors target. TTPs are like playbooks criminal hackers use to outline their attacks’ strategies, methods, and instructions. Hacktivists engage in criminal hacking in service to social or political causes.
“Iranian threat actors are acting as initial access brokers against energy firms and healthcare providers and selling the access to cybercriminal gangs,” said Watt, adding that the threat actors’ motives are almost certainly to counter sanctions against Iran.
Initial access brokers gain unauthorized initial access to devices, systems, or networks. According to the Council on Foreign Relations, the Iran sanctions are U.S.-led economic and financial restrictions reimposed after the 2018 U.S. withdrawal from the Iran nuclear deal, i.e., the Joint Comprehensive Plan of Action.
APTs are Advanced Persistent Threats, cybercriminal groups that are sophisticated, relentless, and well-funded to do great harm against high-value targets, such as CNI.
Vulnerabilities, stolen credentials, and malicious software
Volt Typhoon gains initial access using unpatched vulnerabilities or compromised credentials in public-facing infrastructure such as firewalls, VPNs, and web servers, according to Bob Erdman, associate vice president of R&D at Fortra, a global cybersecurity company. Public-facing infrastructure includes security devices, connections, and computers that people can access from the Internet.
According to Erdman, this infrastructure often includes end-of-life networking gear that vendors no longer support or patch. Volt Typhoon does not typically use malware or ransomware, but practices Living Off The Land (LOTL) attacks, using otherwise benign tools already available on the target system, said Erdman. However, there are exceptions to how Volt Typhoon operates.
In 2024, Volt Typhoon exploited a zero-day vulnerability in Versa Director servers, allowing the group to upload malicious files and gain advanced privileges, targeting Internet service providers and managed service providers, according to a Lumen post.
Because a zero-day vulnerability is unknown, a vendor has had zero days to patch it. A zero-day exploit is a technique attackers use to leverage the vulnerability before the vendor fixes it.
According to Watt, Russia’s Unit 29155 has leveraged exploit scripts from GitHub against vulnerabilities in Microsoft Windows Server, Atlassian Confluence Server and Data Center, and Sophos Firewall.
According to a KPMG advisory, Unit 29155 used an exploit script from a GitHub repository to gain initial access through a vulnerability in the Internet-facing systems of Dahua IP cameras (security cameras that communicate over an Internet protocol (IP) network).
According to a CISA advisory, Iranian threat actors have exploited Microsoft’s Netlogon privilege escalation vulnerability, Zerologon, to compromise critical infrastructure sectors. The actors steal credentials and information describing the network, and sell it to cybercriminals.
Netlogon responds to logon, controller synchronization, and backup requests. Privilege escalation vulnerabilities let cyber threat actors extend their privileges on systems, which they leverage in lateral movement across the network. Controller synchronization keeps the master lists of user passwords and permissions up-to-date and identical across all the computer servers in a network.
Compromised data
“Adversaries often exfiltrate sensitive operational data, including access credentials, design and architecture blueprints, and real-time ICS telemetry data,” said Justin Shattuck, chief information security officer at Resilience, a cyber risk company. The adversaries attack operational technology (OT), which controls and monitors physical processes, through information technology (IT), which uses computers to process information.
Saman Zonouz, associate professor in cyber security and privacy at Georgia Tech, said, “There is specific OT malware that is built on top of traditional IT malware. You have to exploit vulnerabilities in IT before reaching the OT and causing physical disruption.”
Industrial Control Systems (ICS) at CNI facilities transmit operational data to monitoring systems that analyze and manage critical infrastructure processes, such as water treatment and power generation.
Other data collected through CNI is not necessarily CNI data. “In November 2024, China-linked attackers targeted U.S. telecom providers, obtaining data related to wiretaps and eavesdropping on conversations of government officials and politicians. The attacks affected Verizon, AT&T, and Lumen, formerly CenturyLink,” said Shattuck.
Chinese cybercriminals attack U.S. CNI, targeting specific data for cyber espionage. Explained Watt, “Volt Typhoon frequently employs Microsoft Volume Shadow Copy Services (VSS) to access NTDS.dit, which is a repository containing critical Active Directory data, including user accounts and hashed passwords that [they] leverage for further exploitation.”
Windows VSS creates backup copies of files or drives while those are in use. Active Directory manages users on a network, controlling access to services. Hashed passwords turn passwords into random strings, making it hard to get the original password.
“Volt Typhoon has stolen diagrams and documents related to OT equipment, including supervisory control and data acquisitions (SCADA) systems, relays, and switchgear,” said Watt.
SCADA systems monitor and control critical infrastructure, like power grids and transportation. Relays are electronic switches that protect equipment, automatically turning devices on or off, or redirecting power. Switchgear hardware includes circuit breakers, fuses, and switches that distribute power safely.
Attack patterns, timelines, and dwell time
According to Shattuck, CNI cyber events often coincide with geopolitical events such as elections and international negotiations. “Attack frequency increases during periods of heightened tension, and timelines vary from event to event,” said Shattuck.
According to a 2024 CSIS cyber incidents report, in October 2023, Vietnamese hackers attempted to install spyware on the phones of journalists, United Nations officials, and the chairs of the U.S. House Foreign Affairs Committee and the Senate Committee on Homeland Security and Governmental Affairs. The spyware was designed to siphon calls and texts from infected phones. At the same time, Vietnamese and American diplomats were negotiating an agreement to counter China’s growing influence in the region.
According to a 2024 CISA Security Advisory, Volt Typhoon threat actors have maintained access within some victim IT environments for at least five years. Dwell time is the length of undetected access. According to the advisory, Volt Typhoon does extensive reconnaissance to learn about an organization’s environment and persist in the network.
The effectiveness of current security measures
According to Evan Dornbush, former NSA computer network operator at the U.S. Defense Department, it is difficult to gauge the effectiveness of current security measures. The increase in cyber event reporting has led to the detection and shutting down of significant CNI attack operations, he observed, adding, “On the other hand, we don’t know what hasn’t been detected, and the affected devices are not limited to use by one specific industry.”
Dornbush said a major component of a defender’s strategy “must be to perturb the adversary’s operational budget,” explaining that the adversary pays a high price in time, human resources, and actual expenditures to arrange and orchestrate these attacks.
In an example of frustrating a threat actor’s funding, Sophos ran a counterintelligence operation against Chinese criminal hackers who were targeting its firewall products. According to a Sophos X-Ops report, the attacks started in 2018 with a breach at Cyberoam, a subsidiary of Sophos, which revealed the hackers’ plans to gather intelligence for further attacks.
According to the Sophos X-Ops report, in April 2020, Sophos deployed a specialized kernel implant, malware affecting the deepest part of the operating system software, on devices the criminal hackers controlled. The implant let Sophos monitor the attackers’ activities, including their development of exploits against the Sophos firewall. By watching the hackers build their capabilities and malware, Sophos collected information about its own firewall vulnerabilities, patched those, and then shut down the attackers’ operations.
Said Dornbush, “Sophos did an incredible thing by watching the attackers build out their capabilities and start to spread and infect [Sophos firewalls], and only then did they shut it all down in one fell swoop.”
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment