Volt Typhoon: Keep Calm and Carry On + VPNs Wounded in Cyber Knife Fight

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on Substack.

Volt Typhoon: Keep Calm and Carry On

The U.S. is grappling with Chinese cyber actors who appear to be building the capability to disrupt critical infrastructure during a potential military conflict.

In late-breaking news, the U.S. agencies responsible for cybersecurity and critical infrastructure have released an advisory about the group known as Volt Typhoon.

The advisory states [emphasis added]:

The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organisations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behaviour is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

Volt Typhoon was a major topic of discussion at a U.S. House committee hearing last week.

U.S. Cybersecurity and Infrastructure Agency (CISA) Director Jen Easterly said at the hearing, “We’ve seen Chinese cyber actors, including those known as Volt Typhoon, burrowing deep into our critical infrastructure to enable destructive attacks in the event of a major crisis or conflict.”

She emphasized that this threat was “not theoretical” and that “CISA teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, [and] transportation.”

Easterly described these confirmed discoveries as “likely just the tip of the iceberg.”

The U.S. government has already started taking practical steps to deal with the threat. On Jan. 31, the day before the hearing, the U.S. Department of Justice announced it had disrupted what is known as the “KV botnet.” This botnet, which we wrote about last month, comprises end-of-life small office/home office (SOHO) routers and was being used by Volt Typhoon for command and control.

This operation was limited to the U.S.-based parts of the botnet, and the Justice Department’s press release also states its actions were “temporary in nature.” An owner restarting a router would make it vulnerable to reinfection.

But despite these limitations, this operation—coupled with private-sector action—appears to have had a real impact. Lumen Technologies also sinkholed the IP addresses used by the KV botnet’s infrastructure, and the company’s Black Lotus Labs thinks that the KV portion of the botnet is “no longer effectively active.” (The botnet has two clusters, “KV” and “JDY”: The JDY cluster is degraded but still operating.)

Beyond disrupting this botnet, there are, at least in theory, many actions an organization like U.S. Cyber Command could take in response to Chinese groups targeting U.S. critical infrastructure. These could include compromising Volt Typhoon itself, targeting Chinese military systems for potential disruption, or even responding in kind by compromising Chinese critical infrastructure to be able to disrupt it in a time of crisis.

Michael Mazarr, a deterrence expert at RAND, told Seriously Risky Business that, if you intended to deter the People’s Republic of China (PRC), these types of cyber operations were subject to a “reveal/conceal dynamic.”

The question here, he said, was “you may have a certain capability, but when do you let them [the PRC] know that you have that capability?”

“You’d want them to know to deter them, but obviously in the cyber realm, by conveying certain things, you tip them off so they go looking for it and now you don't have it [that capability] anymore.”

“So that’s just a constant dilemma.”

Many of the options we’ve listed would seem to be useful should conflict occur, but not in preventing conflict in the first place.

In his testimony to the hearing, Gen. Paul Nakasone, the director of the National Security Agency and U.S. Cyber Command, was focused not so much on deterring PRC cyber actors as on “persistently engaging them.” This involves using the “full spectrum of our capabilities to impose costs, deny benefits, and encourage restraint on the part of the adversary,” he said.

It’s important to keep in mind this is all about Taiwan and that disrupting U.S. critical infrastructure isn’t an end in itself for the PRC. It is a supporting capability for potential military action against Taiwan.

And there are many ways, including diplomatic, military, and economic measures, that the U.S. could try to deter Chinese military action in the Taiwan Strait. If these types of deterrence are successful, Volt Typhoon’s presence in U.S. critical infrastructure is likely moot.

Despite that, there is still a cyber-related element to deterring Chinese action.

Mazarr told us that “deterrence often fails when one side, one leader, one military thinks it has a scheme to avoid escalation, bigger costs, long wars.”

This meant making sure China did not think “it has some sort of magical off switch that can prevent the U.S. from marshalling large numbers of forces for, say [hypothetically], four weeks.”

To that end, the KV botnet disruption operation and this week’s cybersecurity advisory covering Volt Typhoon are huge wins. And there are certainly many ways Cyber Command could make Volt Typhoon’s life difficult and undermine the PRC’s confidence that the group could effectively disrupt U.S. critical infrastructure.

When it comes to communicating the risk to the public, however, the dynamic Mazarr describes poses a bit of a dilemma.

For language aimed at critical infrastructure operators and lawmakers, officials need to emphasize the threat to generate urgency and encourage action. But at the same time, you’d ideally like the PRC to think that threats to U.S. critical infrastructure are no big deal.

In the hearing, Easterly was clearly speaking to the domestic audience. She mentioned the potential for “disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes all to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will.”

Fortunately, Mazarr is skeptical that foreign governments pay all that much attention to the language used in congressional testimony.

“I don’t think they would put much store in those kinds of public comments at all.”

VPNs Wounded in Cyber Knife Fight

On Jan. 31, CISA issued an emergency directive for federal agencies to “disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure” products from their networks.

This is a CISA first, but we suspect it will not be the last time the agency directs network defenders to take what once would have been considered drastic and expensive remediation work.

In mid-January we covered the discovery of two zero days that could be used in concert to remotely compromise Ivanti Connect Secure VPN devices. After the publication of security advisories and information about the compromise, the actor responsible (called UTA0178 by security firm Volexity, which thinks it is likely a PRC cyber espionage group) shifted from quiet and relatively slow operations to widespread exploitation.

Since then, Ivanti and UTA0178 have been in a “cyber knife fight,” in which a series of defensive steps from Ivanti have been countered by the attacker. Ivanti’s actions included the release of mitigations, integrity checking tools, and patches. UTA0178 countered with  bypasses for Ivanti’s mitigations and integrity checking tools, and also with a variety of webshells and backdoors.

Other groups also joined in the fun after proof-of-concept code was published. Risky Business News has a good blow-by-blow of these events, including the discovery of two more vulnerabilities by Ivanti, one of which was being exploited.

On this week’s Risky Business podcast, Eric Goldstein, CISA’s executive assistant director for cybersecurity, expanded on the reasons the organization directed agencies to disconnect the devices.

“This was necessary given the degree of targeting and compromise around the world of the now three exploited vulnerabilities affecting these appliances,” he said.

“Every organization running these devices absolutely needs to assume targeting and assume compromise.”

CISA’s directive says that to return devices to service after disconnecting them, agencies must factory reset and rebuild the devices, upgrade them to a supported version, and revoke and reissue certificates, keys, and passwords.

Even worse, however, CISA says that “agencies running the affected products must assume domain accounts associated with the affected products have been compromised.” CISA tells agencies to reset passwords, revoke Kerberos tickets, and revoke cloud tokens. 

Goldstein also indicated these kinds of robust directives would be used again if necessary.

“It is certainly the new normal that these sorts of edge devices are being targeted to extraordinary extent by APT actors…. And so where we see targeting of this kind of device to this degree, this is absolutely the sort of action that we will direct where needed to drive the right level of urgency and response.”

Goldstein is right when he talks about a “new normal.” This is not the first time PRC-linked actors have operated so aggressively that defenders have been told to decommission devices.

In mid-2023, a group that compromised Barracuda Email Security Gateways deployed additional persistence mechanisms once its activities were discovered. These actions aimed to make eviction difficult, and Barracuda ultimately recommended that its devices be replaced because it could not guarantee permanent removal of the group’s malware.

This also reminds us of the 2021 espionage campaign targeting Microsoft Exchange servers. The campaign was initially quiet but, we wrote at the time, “exploded into a frenzy of indiscriminate exploitation” in the days prior to Microsoft releasing a patch.

Aggressive exploitation is bad news, but we wonder if it will ultimately encourage vendors to make more secure products. After all, who is going to buy products that regularly get compromised and require time-consuming remediation work?

Three Reasons to Be Cheerful This Week:

1. FTC actions against data brokers on firmer ground: A U.S. federal judge has ruled that the Federal Trade Commission’s enforcement action against data broker Kochava could proceed. The judge’s opinion says Kochava selling “highly granular” personal information could invade consumers’ privacy and expose them to significant risks of secondary harm. This means that the actual practice of selling people’s geolocation data will be examined in court to see if it is unfair to consumers. 
2. U.S. law firm Dechert pays to settle hacking claim: A U.S. aviation executive, Farhad Azima, will receive more than 3 million pounds from Dechert to settle allegations that the firm hired Indian hack-for-hire firms to steal information from Azima for use in a lawsuit against him.
3. Visa restrictions for commercial spyware peeps: The U.S. government has announced that it will place visa restrictions on people involved with the misuse of commercial spyware. It is a relatively broad policy and could apply to developers at these companies and also covers immediate family such as spouses and children. Risky Business News has more coverage.  

Shorts

The Hack-for-Hire Streisand Effect

Wired’s Andy Greenberg describes the backlash against a legal campaign to get articles about the Indian hack-for-hire industry taken down.

In November 2023, Reuters published an article about India’s hack-for-hire industry. Legal action in India resulted in the piece being “temporarily removed,” in Reuters’s words, and it is fighting the injunction in the Indian courts.

This injunction was then leveraged in legal threats to get other publications to remove references to the Reuters article. [Editor’s note: Lawfare was one of the publications to do so, as we explained in the article in question.]

An array of organizations, however, are fighting back against this legal strategy. Despite legal threats, investigative news nonprofit MuckRock is still hosting the source documents used by Reuters reporters and tech blog TechDirt has resisted demands to take down its articles. An anti-secrecy nonprofit has also republished the original Reuters article.

Midnight Blizzard Attack Path

Andy Robbins at SpecterOps has published a reconstruction of the method Russian hackers known as Midnight Blizzard used to compromise Microsoft email accounts recently. (Disclosure: SpecterOps is a Risky Business sponsor.)

Ransomware Again a Growing Problem

Blockchain analysis company Chainalysis has reported that cryptocurrency ransomware payments exceeded $1 billion in 2023. This is a new high, after 2022 saw “only” $567 million in payments.

This is partly attributable to the Russian invasion of Ukraine, but the Chainalysis report also examines the impact of the FBI’s Hive disruption operation and takedown. In this operation, the FBI gained access to Hive’s IT infrastructure and, for months, provided decryption keys to victims affected by the ransomware. This directly prevented $130 million in payments, but Chainalysis reckons it might also have had broader systemic effects that averted about $200 million in payments.

Risky Biz Talks

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about what up-and-coming countries should expect from a cyber command and whether they should invest in them.

From Risky Biz News:

Two Iranian cyber groups get doxed in a week: The identities of two Iranian cyber groups have been exposed over the course of seven days last week.

The U.S. government linked the Cyber Av3ngers group to six individuals working for the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), while a report from Iran International linked the Black Shadow group to an Iranian IT company named “Raahkarha-ye Fanavari-e Etela'at-e Jahatpardaz” (or Jahatpardaz Information Technology Solutions).

The “doxing” events come as Iranian cyber activity entered a new and more aggressive stage after Iran-backed Hezbollah attacked Israeli territories on Oct. 7, 2023.

[more on Risky Business News]

EU commits to not pay ransoms: During a visit to Washington this week, EU Commissioner Thierry Breton formally committed the EU and its 27 member states to the Counter Ransomware Initiative. As part of this project, member states have pledged not to pay ransoms to cyber criminals. More than 50 countries pledged to support the project, although none have passed laws officially banning ransom payments yet.

Pig-butchering leaders arrested: Chinese officials have arrested 10 Myanmar nationals who allegedly operated large-scale cyber scam centers in Myanmar’s northern Kokang region. The suspects were detained after China issued an international arrest warrant in their names at the beginning of December 2023. All 10 are believed to have had leadership roles in running the scam centers, and some were also members of the Kokang Border Guard Force. The suspects were handed over to Chinese authorities on Jan. 30.

Image via Irrawaddy