On June 10, 2022, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation release a joint advisory concerning Chinese sponsored cyberattacks. The report detailed a sustained campaign focused on exploiting networking devices across a broad range of public and private sector entities. The report is the most recent evidence pointing to the larger trend of increases in the number and sophistication of state sponsored cyberattacks. This phenomenon is unlikely to reverse soon. As a result, critical infrastructure companies must understand and prepare for more of them.
For many years, the People’s Republic of China (PRC) has sustained a series of targeted cyber campaigns designed to disrupt commercial enterprises. In 2021, the Department of Justice filed criminal charges against four Chinese nationals affiliated with the Chinese Ministry of State Security. Each were found to have facilitated cyberattacks designed to collect confidential business information across the globe. Stories like this have made the public broadly familiar with the threat China poses to intellectual property and IT security.
Less known, however, is the fact that the FBI has been tracking Chinese attacks against operational technology for more than a decade. Between 2011 and 2013 alone, the FBI was actively tracking Chinese attacks against 23 different natural gas pipelines. Sixteen of the attacks resulted in confirmed system compromises. These compromises often began with Chinese hackers gaining access to corporate networks connected to industrial control systems. This in turn, was leveraged by Chinese actors to gain access to “SCADA networks at several U.S. natural gas pipeline companies”. Had any of these exploits been directly weaponized, the results would have been crippling.
More concerning, however, is the fact that in the decade since, the capability and sophistication of Chinese cyberattacks has risen significantly. According to the 2022 Annual Threat Assessment published by the Office of the Director of National Intelligence, China is “capable of launching cyber-attacks that would disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems.”
The primary finding of the Joint Advisory was the priority Chinese actors placed on compromising networking devices. Devices produced by companies like Cisco and Netgear were common targets for attack. Yet, within the context of the 2011-2013 pipeline attacks, we can understand that this is not a new approach. The information and operational functions continue to make them highly valuable cyber targets. Furthermore, in the decade since, IT/OT convergence has been accelerated by the Industrial Internet of Things and broader Industry 4.0 movement. As such, the exploitation of networking devices poses an even more substantial threat to operational technology today.
The report further details that most of these attacks are initiated through publicly reported Common Vulnerability Exposures (CVEs). Investigators found that, in most cases, the CVE had been publicly disclosed for two years prior to being exploited by a state sponsored attacker. Additionally, the attackers were observed to routinely use open-source network scanning tools to seek out unpatched systems and mark them as a target. This maximizes the efficiency of their operations, while also eliminating the need to utilize more obvious tactics. All these developments are yet another data point that should motivate security operators to consider their own cyber resilience.
Thankfully, there are effective steps that critical infrastructure companies can take to defend both their IT and OT infrastructure against state sponsored cyberattacks:
The unfortunate reality is that the broader geopolitical landscape is becoming increasingly strained. This has been highlighted by the 2022 invasion of Ukraine and escalating rhetoric surrounding Taiwan. Security operators and executives at critical infrastructure companies must take this as an opportunity to double down on hiring the best people, implementing efficient processes and investing in cyber resilience technologies.