The past year in national cybersecurity trends was defined by major intrusions into U.S. critical infrastructure.

From the China-linked “Typhoon” campaigns to continued ransomware attacks on the health care sector, agencies had to scramble to keep up. There were three key incidents that propelled cyber activities in 2024:

Volt Typhoon

Volt Typhoon emerged last year when Microsoft and federal agencies warned that it was a Peoples Republic of China-connected group targeting critical infrastructure.

But in early February, the Cybersecurity and Infrastructure Security Agency, the FBI and the NSA issued a new advisory with concerning details. It warned that Volt Typhoon had compromised the networks of critical infrastructure groups. The sectors targeted include communications, energy, transportation, and water and wastewater.

Volt Typhoon’s reported motives were particularly concerning. Rather than espionage, agencies said the group is “seeking to preposition themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

Furthermore, the group’s “living off the land techniques” make them particularly difficult to detect.

The FBI subsequently ran an operation to remove Volt Typhoon’s malware from routers the group had infected throughout the United States.

But cyber officials warn to this day that Volt Typhoon likely continues to lurk on the networks for many critical infrastructure organizations.

“I worry about Volt Typhoon coming to be seen as a flavor of the month problem. This is a generational, long-term problem, whether it’s called Volt Typhoon or something else — both the adversary and the techniques and the type of vulnerabilities that they’re taking advantage of. We need to make sure that there is a steady state, long-term effort,” CISA Executive Assistant Director Jeff Greene said during Federal News Network’s Cyber Leaders Exchange in October.

“I’m trying to think about it with the team, how we both address that from a technical standpoint — countering their adversary and fixing the problems — but also from a public standpoint to make sure individual citizens understand it and think about what they can do as well as what companies can do,” Greene added.

The Volt Typhoon hacks put a spotlight on agency initiatives to set minimum cyber requirements for critical infrastructure.

While the Biden administration has had some success in establishing new requirements, largely in the transportation sector, it has also struggled to implement cyber standards in key areas like the water sector.

“When you shift an approach like that, clearly it takes time to play out on the ground, and it takes time to really get the volume,” White House Deputy National Security Advisor Anne Neuberger said in February. “Nothing changes with the snap of a finger. We’ve been investing across the U.S. government, in a lot of day-by-day work with companies, with associations to gain their buy-in and help them understand the criticality of the threat and the need for action.”

Change Healthcare

Around nearly the same time that agencies were warning about Volt Typhoon’s intrusions, a hacking group known as ALPHV or BlackCat was executing one of the biggest ransomware attacks in U.S. history.

The group broke into the networks of Change Healthcare in early February, stealing data and encrypting files. Change Healthcare, a subsidiary of United Health Group and the largest health care payments provider in the United States acknowledged the incident on Feb. 21.

The ransomware attack effectively knocked Change Healthcare offline for weeks, preventing the processing of claims and payments and leading to widespread disruption throughout the health care sector.

Ultimately, Change Healthcare paid the attackers a $22 million ransom in Bitcoin. The protected health information of more than 100 million people may have been exposed.

For federal agencies, the attack ultimately elevated the ongoing discussion around the need for stronger cybersecurity standards in the health care and public health sectors.

Even before Change Healthcare, the health care sector had been the top ransomware target for multiple years running.

Under a new cyber strategy released last December, the Department of Health and Human Services had already signaled plans to reorganize internal cyber divisions and push forth new cyber standards.

HHS’s Administration for Strategic Preparedness and Response, in particular, has increased its efforts around providing cyber incident response resources to the health care sector.

Meanwhile, the White House is reviewing an update to HHS’s privacy rules that would incorporate stronger cyber standards. But lawmakers continue to call on HHS to move more quickly to strengthen cyber requirements across the health sector.

“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety,” Sen. Mark Warner (D-Va.) said in a September statement about his and Sen. Ron Wyden’s (D-Ore.) new legislation to set stronger standards for the health care industry.

Salt Typhoon

The ongoing Salt Typhoon incident, meanwhile, is sure to dominate cybersecurity conversations in early 2025.

CISA and the FBI acknowledged the intrusions into U.S. telecommunications providers in late October. The PRC-connected hackers have been able to reportedly monitor live phone calls, harvest sensitive and compromise law enforcement wiretapping systems.

The hackers have targeted the messages and phone calls of 100-150 senior political and government figures. CISA recently recommended that “highly targeted individuals” only communicate over end-to-end encryption.

“The Chinese and PRC have been targeting this infrastructure for years,” Rob Lee, chief of research and head of faculty at the SANS Institute, said in an interview. “What makes this one a little bit different is the aggressiveness and the inability to remediate completely. So in Salt Typhoon especially, you’re getting this feeling that if they were able to remediate and actually stop it, they probably wouldn’t have had to, come out with their line in the sand style, ‘Everyone start using different messaging and encryption.'”

The incident will provide an early test of how the second Trump administration will manage a major cyber incident.

The FCC is also considering new cybersecurity requirements for telecom providers in the wake of the attack. The Department of Homeland Security’s Cyber Safety Review Board is expected to take up a review of the Salt Typhoon incident by early next year.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.