This new zero-day cybersecurity threat aimed at critical infrastructure

On the cybersecurity front, every week seems to bring a new threat. A recent one in the category of advanced persistent threat is known as Volt Typhoon. Its apparent foreign nation-state origin is aimed at critical infrastructure. For more, the Federal Drive with Tom Temin spoke with former Energy Department cyber manager, now CEO of NetRise, Tom Pace.

Interview Transcript: 

Tom Temin And you and your company have been tracking something called Volt Typhoon. Colorful sounding name. Has a slightly Far East sound. What is it? And what should we worry about?

Tom Pace Civil typhoons. The name given to an advanced persistent threat group that is operating out of China that has been targeting U.S. critical infrastructure assets and other assets. They have been compromising devices on military bases, installations, critical infrastructure assets, security cameras, firewalls, devices, and assets that typically are much more difficult to detect and find with ease than a traditional like laptop desktop. Something like that.

        Join us June 25 and 26 at 1 p.m. EST for Federal News Network's Cloud Exchange, presented by Maximus, where we'll explore civilian agency progress in using the cloud to improve digital services and federal missions. | Register today!

Tom Temin And you call them an advanced persistent threat. What does that mean exactly in this context? And what is it that they’re putting on these devices that could have the potential to do something?

Tom Pace APT is kind of a generalized term these days. It’s really just the characterization of an entity within. It could be a nation state government. It could be a criminal syndicate; it could be an underground hacking group. It basically just represents a well-financed, very intentional group of people that can either be funded by the government or not. Typically, they are in some way, either directly or indirectly through some kind of proxy. In this scenario, it appears that there is a desire to maintain access into critical infrastructure assets for purposes that are difficult to predict but seem like malicious ones, to say the least.

Tom Temin Well, let’s take the example of surveillance cameras. They put software on there through the network that these cameras are on. They could turn them off. They could point them away from something you need to watch. Could they capture voice and video of people pursuant to making deepfakes, for example, that kind of thing?

Tom Pace All of that is certainly in the realm of possibility. What seems to be a more likely set of circumstances is it’s a very good place to maintain persistence. It’s very hard to find malicious activity and behavior on a security camera. You can’t install antivirus on a security camera. You can’t install software known as endpoint detection and response software. You can’t bring to bear the same kind of technical solutions that you can on a normal workstation or computer or server, or.

Tom Temin A smartphone, or a laptop PC or.

Tom Pace All those smartphones have the same problem. You can’t really install software.

Tom Temin But what I mean is for the network operations centers that agencies operate, or that might be, you know, in Guam, they can see the devices and monitor devices, including smartphones and mobile devices, as well as servers and network devices. Correct. What is not visible to the average SoC, then, are these types of IoT devices that might be in a factory, or might be in a production facility, or might be in a perimeter security system?

Tom Pace That’s right. Typically, at best, you have visibility into what it is and where it is. That’s typically where it ends for a lot of organizations, even very mature organizations, even fortune 100. So even though the federal government has a significant amount of assets, you still have a very wide spectrum of maturity across militaries, agencies, geographic locations, etc..

        Read more: Cybersecurity

Tom Temin Yeah, you could have an installation where the cameras were put in 15 years ago, which is ancient history in terms of, you know, the logic we now have. So how do we know that these devices are getting infected in the first place?

Tom Pace Well, malicious activity was identified by a certain organization within the federal government. And then upon conducting an incident response, doing root cause analysis, and basically tracing it back, you can find patient zero. But I think that there was almost certainly some command-and-control traffic that likely was identified and then traced back through a particular target, an environment where they were able to conduct some follow-on root cause analysis to understand what was happening.

Tom Temin We’re speaking with Tom Pace. He’s the founder and CEO of NetRise. And by the way, what does NetRise bring to this equation. We’ll give you a chance for a 30-second ad here.

Tom Pace Yeah. No, I appreciate that. Yeah. So NetRise is a company focused on providing visibility and risk identification into a class of devices that historically have had none. So, we focus on analyzing things like IoT, industrial control systems, medical devices, embedded systems in vehicles, satellites, telecommunications equipment. In so doing, we’ve created a supply chain risk management platform that allows you to identify not just vulnerabilities and things like the software and firmware, but also identify. Vulnerabilities and risks and other artifacts that exist in those devices like. Public keys, private keys, certificates, credentials, all that kind of fun stuff to give it to you in one location.

Tom Temin And some of those have operating systems that could be very many generations behind current operating systems. So, you’ve got all of abilities there.

Tom Pace It’s actually a very keen observation. The vast majority of them have operating systems that are conservatively five years old, or at least a number of the core elements of those operating systems are five, ten, even 15 years old. Therein lies the problem.

Tom Temin And medical devices probably throw that into the equation.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Tom Pace Medical devices are some of the worst.

Tom Temin Right? We hear that from VA. We hear that from the, you know, the Tricare operators. I mean that’s just the system. So, what’s your advice for CISOs? I mean, who should be responsible for finding out whether my agency has this problem, what the extent of the infrastructure that I have of IoT non computing devices, let’s call them who’s responsible and what should they do.

Tom Pace Yeah I mean there’s been plenty of reporting that has found its way throughout the government. So, this is definitely a CISO issue. The place you always start is getting an inventory of what you actually have in your environment. There’s plenty of very well matured solutions in the space that allow them to do that. Unfortunately, that’s where a lot of it ends. For most of these agencies, they’re really just not even aware that the capabilities exist to give them the inside out perspective of these devices that is required to understand what is going on here. Most people just believe there’s an outside in picture that’s only possible, and also that people have too much trust in some of these devices. So, if you look at Volt Typhoon, most people believe that there was an installation in Guam that was likely the first entity that was compromised and that was compromised by exploiting a vulnerability in a top two firewall vendor. So, if your firewall is the very device that’s intended to keep ne’er do wells out of your network, is the device that is being compromised or in a rough state of affairs. What’s reality is we’ve been in that state of affairs now for decades. This is not a new product. Sure. What’s happening is these threat groups are staying away from traditional assets because security there has gotten very, very good. I mean, there’s very mature solutions. Their solutions have gotten not commensurately better for all of these other devices at all. And in fact, there’s hasn’t been much innovation, period, which is obviously why we started the company that we started.

Tom Temin And just a technical question. These devices don’t appear out of the box to be programmable. I mean, that’s the vulnerability of computers and so on, because the standard computing devices are alterable, they’re designed to be alterable, when you buy a video camera or you buy some kind of industrial control device, whatever the IoT or peripheral might be, you don’t think of those as having their logic unalterable, or that they have a way to inject new software into them. So, what’s the mechanism? Let’s continue with the camera example. Someone gets through the firewall to that camera. Does the malicious software reside on the firewall monitoring the camera, or do they put something on the camera itself?

Tom Pace It can be both. So, there are ways to get things onto these devices. Your opportunities for doing so are, to your point, significantly more limited in comparison to other devices like windows and traditional Linux based operating systems. But your point is accurate in the sense that you can’t just arbitrarily log into a security camera and change everything. You’re dealing with firmware at that point, not software of an operating system, right? So, what you are really left with is a.) Working with the device manufacturer to ensure that any potential issues that are identified are remediated, or taking other compensating and mitigating controls, which is a pretty well-established process that many organizations can follow. But we’re not even there were two steps before that. So, I oftentimes get this question that you’re asking, which is, okay, they put some code on here. Well, what do I do now? And it’s like, we can’t even prove that the code is there or not yet. Like at scale in any kind of automated fashion. That’s exactly what we aim to accomplish. And once we get all of that data, the next steps are pretty obvious, and you’ll be able to have conversations with organizations, device manufacturers, and users that are very, very data driven at that point. Right now, it’s too spotty.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.