"NCSC Expert Warns Businesses: Nations Never Hack for Recreation, Admonishing a Strategic Approach Grounded in Geopolitics"
In a world where cyber threats are increasingly becoming a concern for nations, China-backed and Russian cyber groups are actively positioning themselves within critical infrastructure of the United States and its allies.
Chinese state-backed groups such as Volt Typhoon and Salt Typhoon have been found to be engaged in more than traditional espionage. They are actively positioning themselves within U.S. and allied critical infrastructure, particularly energy, communications, water, and transportation networks, with the apparent intent to disrupt operations in the event of a future conflict, especially concerning Taiwan.
U.S. officials and cybersecurity researchers confirm that China has shifted from intellectual property theft to a posture that puts critical infrastructure at risk, aiming to limit American military mobilization in a crisis. There is a clear geographic emphasis on Guam and the U.S. West Coast, which are critical for U.S. power projection in the Indo-Pacific. Chinese groups have burrowed deep into these regions' infrastructure, testing access points and monitoring for vulnerabilities, likely preparing for possible sabotage or disruption during heightened tensions.
The tactics and techniques employed by these groups are long-term persistence, credential harvesting, supply chain and third-party access, testing and probing, and public-private coordination. They seek to establish persistent, stealthy access to networks, sometimes remaining undetected for months or years, in order to enable rapid, disruptive action if needed.
Recent examples of these activities include the breach of at least one U.S. state's Army National Guard network for nine months, exfiltrating sensitive data, network configurations, and credentials that could facilitate future attacks on other states' military and government networks. Another example is the specific targeting of critical infrastructure in Guam and the U.S. mainland, aiming to "preposition" for disruptive or destructive cyberattacks in a conflict scenario.
Russia, on the other hand, is increasingly targeting supply chains that support Ukraine, with defense, energy, and logistics companies being particularly at risk. Attacks by Volt Typhoon and Salt Typhoon, advanced persistent threats, show groups 'pre-positioning' themselves inside critical infrastructure. Russia's cyber capabilities have improved in recent years, with the invasion of Ukraine serving as an opportunity to refine offensive cyber techniques.
In 2022, Russia launched a major cyber attack on Viasat, a US communications company, during the invasion of Ukraine. This attack caused a widespread outage, impacting Ukrainian military command and control and causing knock-on outages for several thousand internet-connected German wind turbines.
Both nations’ strategies reflect a shift from pure espionage to operations that could directly impact civilian and military readiness in the event of heightened geopolitical tensions. Business leaders are advised to stay informed about geopolitics to maintain effective cybersecurity strategies. States do not engage in cyber attacks for recreational purposes, but rather for specific reasons, some of which may not be immediately clear.
These developments underscore the need for vigilance and robust cybersecurity measures to protect critical infrastructure from potential disruptions.
- Amidst escalating cyber threats from China-backed groups, Volt Typhoon and Salt Typhoon, there's a growing concern for U.S. businesses, as these groups attempt to penetrate critical infrastructure beyond intellectual property theft, primarily targeting energy, communications, water, and transportation networks.
- In light of heightened geopolitical tensions, a shift in Russian cyber activities is visible, with focus on targeting supply chains that support Ukraine, such as defense, energy, and logistics companies, showcasing a pre-positioning strategy aimed at disrupting or even incapacitating critical infrastructure.
- As nations like China and Russia increasingly employ cybersecurity tactics to disrupt critical infrastructure, businesses must continually update and strengthen their cybersecurity defenses to ensure the resilience of their finance, technology, and overall business operations in an increasingly complex and interconnected world.