Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Make Sure You Have Logs, Five Eyes Alliance Says
U.S. and allied cybersecurity agencies again warned the private sector to guard against Chinese state hackers who eschew malware to maintain access in favor of exploiting built-in system functions.
The United States has widely touted the January disruption of a botnet used by the Beijing espionage operation widely known as Volt Typhoon. The U.S. government and English-speaking countries that make up the Five Eyes intelligence-sharing alliance revealed the group’s existence last May (see: Chinese State Hacker ‘Volt Typhoon’ Targets Guam and US).
The botnet let Chinese hackers camouflage hacking activities by blending their network traffic in with local sources. The “living off the land” technique of using legitimate functions for malicious purposes makes it harder for suspicious system administrators to detect hacking.
Subsequent efforts by Volt Typhoon hackers to rebuild the botnet were thwarted after Lumen’s Black Lotus Labs sinkholed the remaining command-and-control and payload servers (see: FBI and DOJ Disrupt Chinese Hacking Operation).
The U.S. Cybersecurity and Infrastructure Security Agency said Volt Typhoon actors pre-position themselves to conduct “disruptive or destructive cyber activity against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” Defense analysts have warned about mounting Chinese military provocation against Taiwan against a backdrop of Chinese leader Xi Jinping’s assertions that Beijing will reunify Taiwan with mainland China. U.S. President Joe Biden has said that U.S. forces would defend Taiwan in the event of “an unprecedented attack.”
CISA, in collaboration with the NSA, the FBI, other U.S. government agencies and cybersecurity agencies from Australia, Canada, the United Kingdom and New Zealand on Tuesday recommended measures to safeguard against Volt Typhoon.
Key preventative measures include maintaining a central logging database that captures data such as application and system access. The government ramped up reminders about the importance of logging in mid-2023 after The Wall Street Journal reported that organizations – including federal agencies – that didn’t pay a premium for logging services were unable to detect a Chinese espionage operation that penetrated the Microsoft cloud computing environment. Microsoft quickly pledged to make logging available for no extra fee (see: Microsoft Expands Logging Access After Chinese Hack Blowback).
CISA advised leaders to review their supply chain and choose vendors who follow “secure by design” principles. Companies should also select companies that enable interoperability “as a best practice for resilience and to avoid vendor lock-in,” and they should “drive a cybersecurity culture” by championing risk assessment and auditing and ensuring collaboration across business units “to align security measures with business objectives and risk management strategies.”
Following the dismantling of the botnet, CISA and the FBI urged router manufacturers to enhance the security of their devices against Volt Typhoon attacks by implementing secure configuration defaults and addressing web management interface flaws during development.