Shifting priorities: Focus on cyber threats to critical infrastructure orchestrated by China-based groups
In recent developments, Chinese state-sponsored hacking groups such as Salt Typhoon and Volt Typhoon have been linked to sophisticated and persistent operations aimed at critical infrastructure in the United States. These groups have conducted widespread cyber espionage and intrusion campaigns, targeting key sectors including power grids, water supplies, telecommunications, transportation, and military systems.
The infiltration of the U.S. Army National Guard network by Salt Typhoon in 2024 went undetected for nine months, during which sensitive network configurations, admin credentials, and personal data were extracted. This group exploits unpatched vulnerabilities in Cisco IOS and Palo Alto Networks products, using custom malware like JumblePath and GhostSpider to maintain long-term, stealthy access.
Volt Typhoon, on the other hand, represents a strategic shift towards preemptive penetration of critical infrastructure, enabling potential disruptive or destructive actions during crises. This operation targeted nine U.S. telecom firms, affecting the private communications of senior government officials, and amounts to some of the most severe national security breaches ever labelled by the FBI.
Chinese cyber adversaries have significantly increased their aggressive cyber espionage efforts, with a 150% increase in 2024 and a 300% intensification of attacks on sectors like finance, media, manufacturing, and industrial systems. Ongoing campaigns utilise vulnerabilities in widely deployed software and hardware, such as Microsoft Exchange and Cisco IOS systems, to gain initial access and maintain persistence.
In response, the U.S. government has implemented coordinated federal strategies, including the creation of a Joint Task Force under CISA, FBI, DOJ, and sector-specific agencies, aimed at improving interagency coordination against such state-sponsored threats.
The Cybersecurity and Infrastructure Security Agency (CISA) is primarily focused on threat activity linked to the People's Republic of China. CISA Director Jen Easterly stated this at the Secureworks Threat Intelligence Summit. The agency is working to ensure that systems, businesses, and networks are resilient against these threats, and is moving quickly to engage with the cybersecurity and critical infrastructure communities to enhance intelligence sharing and sector-specific oversight.
CISA is also working on the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires critical infrastructure providers to notify CISA within 72 hours of a significant cyber incident. This initiative aims to harmonise the collection of data to prevent organisations from being overwhelmed by multiple federal authorities requesting information after each cyber incident.
Corporate boards and C-suite executives are encouraged to view cybersecurity as a serious business risk, just like any other material risk. The Securities and Exchange Commission passed a rule that requires companies to report cyber incidents within four days of determining whether they are material to the company's financial condition. Other parts of the business community, including rating agencies, should consider how cybersecurity risk impacts business.
The focus on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) follows a heavy emphasis on threats related to the Russia-Ukraine war, and CISA is now turning to more recent China-linked threats from a geopolitical standpoint. Critical industries like rail transportation, energy, and oil and gas pipelines could face serious threats from China. These threat actors have perfected living-off-the-land techniques that allow them to hide within existing digital infrastructure. If a military conflict breaks out, these industries could be particularly vulnerable.
In conclusion, Chinese cyber adversaries pose a grave, sustained threat to the security and operational stability of critical U.S. infrastructure through highly sophisticated, patient, and broad-spectrum cyber intrusions. It is crucial for all relevant parties to remain vigilant and proactive in addressing these threats.
- The Cybersecurity and Infrastructure Security Agency (CISA) is actively addressing the threat posed by Chinese cyber adversaries, focusing particularly on threat activity linked to the People's Republic of China.
- To enhance cybersecurity and foster resilience against Chinese threats, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires critical infrastructure providers to report cyber incidents within 72 hours, aiming to improve data collection and prevent organisations from being overwhelmed.
