EXCLUSIVE INTERVIEWS — As the cyber threat environment grows more complex and daunting by the day, the U.S. intelligence community is racing to bolster cybersecurity defenses at the government level, while also working with local officials to safeguard the nation’s critical infrastructure – its water systems, electric grids, communications networks and more. The latter effort may be the harder part, given that experts say many U.S. infrastructure entities have dangerously thin cyber defenses. And all too often, the security of these systems is only as strong as their weakest, most permeable links.
The latest major episode involved the breach of top telecommunications companies by Chinese hackers, which U.S. officials believe was aimed at accessing national security information. Officials said earlier this month that a group of hackers known as Salt Typhoon, allegedly linked to Chinese intelligence, had penetrated the networks of AT&T, Verizon, and Lumen Technologies — three of the largest U.S. internet service providers. Investigators believe the hackers were targeting wiretap warrant requests for federal surveillance information.
In April, cyberattacks targeted water utilities across the U.S., prompting the Environmental Protection Agency to urge water systems to bolster cybersecurity defenses. A few months before that, hackers tied to Iran were blamed for hacks of several U.S. organizations which targeted an Israeli-made industrial control device. And in perhaps the most prominent case, the Chinese hacking network known as Volt Typhoon breached dozens of American critical infrastructure organizations, seeking persistent access to position itself for future attacks.
The U.S. government and cybersecurity experts have warned of cyber threats to other critical infrastructure, including ports, hospitals, and power systems. In many cases, the fear is that nation states are probing these entities to gain a cyber foothold – from which they may pose grave threats in any future conflict.
These issues – and the dangers they pose – were the subject of a special session of the recent Cipher Brief 2024 Threat Conference, which featured senior U.S. officials who are deeply engaged in this issue.
The three officials – Dana Madsen, Deputy Director of the Cyber Threat Intelligence Integration Center at the Office of the Director of National Intelligence (ODNI); Shannon Corless, Assistant Secretary of the Office of Intelligence & Analysis at the Department of the Treasury; and Kristina Walter, Director of the National Security Agency Cybersecurity Collaboration Center – spoke about the latest threats, their agencies’ responses, and the importance of strong public-private partnership in mitigating the dangers.
“We have intelligence that we're bringing to the fight, but industry has equal intelligence in most cases about what they're seeing actually happening on their network,” Walter said. “It's when we bring those together that we're also able to operationalize it.”
The three officials spoke at the Threat Conference with Timothy Barrett, Assistant Director of National Intelligence for Strategic Communications at ODNI.
This conversation has been edited for length and clarity.
Barrett: Let’s start with the threat landscape, and why working with the private sector is more important now than ever.
Madsen: We've seen an inflection in the threat landscape, where five to ten years ago we were talking about cyber espionage, and the theft of intellectual property. Now, cyber attacks are also an issue that we're concerned with, particularly against our critical infrastructure owners and operators.
We see two manifestations of that threat. One is the very sophisticated activity conducted by the PRC [China]-sponsored “Volt Typhoon” actors. But we've also seen less sophisticated actors.
From the policy context, earlier this year the White House issued National Security Memorandum 22 on critical infrastructure resilience. One of the key drivers in that document is intelligence sharing through the SMAs – the sector risk management agencies – and law enforcement, with the private sector and bi-directional information exchange driven by this threat landscape.
Corless: When we first started looking at this issue about three or four years ago, and really formalized our approach to supporting the financial sector, we were mostly looking at issues such as hacktivists, ransomware, criminal actors. But we have seen an evolution in the concerns with respect to the financial sector. Now we're looking at state actors.
Walter: The PRC is the enduring threat that we are trying to counter. We recognize that they are very familiar with the way we operate in the United States, the way we share contracting information. We are very public about who is building what capabilities for the United States government, and the [Chinese] leverage that to their advantage. They're taking advantage of the weakest link in supply chains as much as they can. They're going after the basic cyber hygiene that is not as pervasive as it should be across our industrial base.
We see both China and Russia taking advantage of unpatched systems, looking for misconfigurations, doing brute-force password-spraying attacks to get into the networks and then move laterally. The campaigns are very sophisticated.
That is where the partnership with industry has been critical. We only see one piece from our foreign intelligence aperture. We understand perhaps what they intend to do, maybe what they're doing in a foreign space, but we don't have that insight for the domestic space. So when we're trying to put that puzzle piece together, the partnership is critical, because we have intelligence that we're bringing to the fight, but industry has equal intelligence in most cases about what they're seeing actually happening on their network. It's when we bring those together that we're also able to operationalize it.
Everyone needs a good nightcap. Ours happens to come in the form of a M-F newsletter that provides the best way to unwind while staying up to speed on national security. (And this Nightcap promises no hangover or weight gain.) Sign up today.
Barrett: What have been the national security wins or gains that you have been privy to, that would not have occurred had it not been for such collaboration with the private sector?
Walter: In 2022, we at NSA understood that the PRC specifically leverages what we call obfuscation networks. They target small office routers, they target small businesses, they target vulnerable populations, and then they move up the supply chain based on trusted relationships. We were working with some of our partners to really understand that activity, really enumerate what is a PRC-owned device that's targeting, and what is not. Through that collaboration, we identified a connection from a known PRC infrastructure to one of our defense contractors. Within hours of this routine analytic collaboration finding this activity, we tipped this to our defense industrial-based partner. It was a Citrix ADC environment that was being targeted.
The partner came back, they did full remediation, and they came back two weeks later and said, We see the actor there again. So we recognized that this was likely a previously unknown vulnerability. This really took a whole-of-industry, whole-of-government approach, where we brought them in, and the patch was worked for that particular vulnerability.
We are at a point now where we have been able to detect the activity, where industry partners can detect the activity, where we have small municipalities coming and calling CISA or NSA or FBI and saying, I see this activity that's consistent with Volt Typhoon. That would not have been possible without the sharing of insights between the National Security Agency, our interagency partners and our industry partners.
Corless: We had an instance, speaking specifically to Volt Typhoon, where we had briefed this to our cleared sector audience, and one of the members of the financial sector came back to us and said they took a look at their networks and saw indicators of activity related to Volt Typhoon. They were very grateful, because it allowed them to start taking the necessary steps they needed to remediate the matter on their networks. It's also a really great example of how that feedback is so important to us, because once we know that this is something that is of concern to our sector partners, it allows us to better tailor the way that we are engaging them, and making sure that we are providing them with the information that they need.
Madsen: At ODNI, we had a case where we brought together a cross section of the intelligence community and the private sector to think about a new aspect of the threat environment. Since late last year, we've seen a group called the Cyber Army of Russia Reborn, or CARR. It's a pro-Russia group using techniques to cause physical effects on water sector and agriculture sector targets in the United States and in western Europe. We began to understand that there's a need to think about how we provide intelligence support to the water sector.
So we convened something called an industry analytic partnership, and we brought together owners and operators in large cities and rural areas – equipment manufacturers, systems integrators, associations, the interagency people – and we worked with CISA to co-sponsor this, [to] talk through some of the dynamics of what's going on in the water sector.
We did one-time read-ins, so that we could share with our industry partners the threat context that we're seeing from a classified standpoint. We had our partners talk about what was possible in terms of some of the security vulnerabilities in the water sector. And we also had a conversation about business dynamics in the sector, how the sector has to balance municipal budgets with regulatory imperatives, and with the imperative of water being affordable, with new requirements such as dealing with forever chemicals, the PFAS [polyfluoroalkyl substances], to understand how they think about resource allocation.
It was one of these cases where we could bring together the sector so that we could help the IC analysts better tailor their analysis to the needs of the Environmental Protection Agency, which is the sector risk management agency, and the broader sector.
Barrett: Walk us through some of the changes that have occurred in terms of your approach.
Walter: I would say from our perspective, some of the cultural change involves the fact that we recognized really early on that if the information wasn't unclassified and we couldn't get it in the hands of the net defenders who can actually action it, it wasn't that useful. It's helpful to give the C-suite contextual conversations as to what the threat is, so that they can support the resources and support their teams to work on these efforts. But realistically, in order for the information to be actioned, we have to get it to an unclassified level.
As [NSA Director] General [Timothy] Haugh has said, there are about 70 cybersecurity advisories that we have put out. That's public; anybody can go to nsa.gov and see it. The other thing we've done is we have 10,000 analytic exchanges that are happening every quarter – that involves NSA analysts who really understand China and Russia or other nation-state actors, in collaboration channels with industry net defenders. Not the C-suite executives, not the leadership team, but truly the analysts, so that they can talk day-to-day about what they are seeing to help understand it. We are really trying to get to a place where we are equipping those folks who are doing the active defense on the network who are overtaxed, under-resourced and having a swath of threats coming at them.
We want to take what we know from an intelligence aperture and we want to downgrade it, so that we can tell them, this is really specific. As in, this is Russian wiper malware that we think that they're going to deploy globally; this is Chinese obfuscation networks where we see them connecting to your system or systems in your sector. And so on.
For NSA, that has been a huge culture change. Getting our analysts in a channel or in a meeting with industry partners has not been a small feat.
Corless: There’s a larger initiative that the Department of the Treasury started about six months ago called Project Fortress, which is essentially a proactive way of engaging the financial sector to ensure that they are benefiting from all of the U.S. government and private sector capabilities and data that they possibly can, as they take actions on their network.
Another part of Project Fortress is our own new initiative, which is the Treasury Cyber Collaboration Suite, which we call the T-Suite, and that is our own collaboration center. We opened the doors at a downtown facility in DC about six months ago or so, and we are able to bring in cleared members of the financial sector to sit side by side with us, and proactively share information with them on a weekly if not daily basis, depending on the nature of the issue. We share information on a tactical basis with them. We also have various strategic conversations about the big trends that we see on the horizon. What we're starting to see is the beginnings of a campaign where we're collaborating together toward a solution in defense of our networks.
Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? Watch The Cipher Brief’s interview with CIA Director Bill Burns as he talks about The Middle East, Russia, China and the thing that keeps him up at night. Become a Cipher Brief YouTube Subscriber today.
Madsen: We have been using commercial cyber threat intelligence. We have contractual relationships with multiple vendors to apply all-source analysis techniques to take information and derive strategic insights about the threat landscape that can serve a variety of purposes. Most recently, we published an unclassified product on our open website looking at trends in the ransomware threat, to answer the question: how many attacks are occurring, and is the threat getting better or worse?
We did this in support of the White House's counter-ransomware initiative, and we looked at trends geographically across the different continents and also within each continent, and broke it down by ransomware's impact on sectors.
The goal was to show to this broader international audience of 68 nations that ransomware is not just a U.S. and Western Europe problem, but also a global problem that could benefit from the exchange of ideas and lessons learned.
We've also shared other cyber threat intelligence at a very broad unclassified level. We published a piece that highlighted the cyber physical attacks on the water sector. It profiled, since late 2023, attacks that have been conducted by IRGC [Islamic Revolutionary Guard Corps]-linked actors using the moniker Cyber Avengers, who have used default configuration mistakes and default passwords in programmable logic controllers, to cause disruptions or deface the control interfaces of these systems across the water sector, agriculture sector and targets worldwide. That same piece also profiles some of the activity by Cyber Army of Russia Reborn, both in rural areas targeting the water sector, but also in other areas of the United States where they've targeted the energy sector and the food and agriculture sector.
And finally, we've thought about how we use these analytic insights to educate the private sector. One of the challenges out there is North Korean cyber actors who are basically working to generate revenue for their government. There are North Korean IT workers that will basically gain virtual employment under false auspices. They will adopt seemingly U.S. identities, they will have people that facilitate the backstopping of that identity, and the proceeds that they earn from their IT work gets sent back to North Korea to help with revenue generation and sanctions evasion. We published an unclassified product that also supported the FBI in identifying some of the key indicators for a company that might suggest they are being targeted by a North Korean cyber actor seeking employment under these auspices.
I think there's definitely a market for this unclassified analysis. One gap that we see, and one potential opportunity, is how do we more directly work with the IC to tailor our intelligence to the state and local level, and to the critical infrastructure operators out in the field that may be cleared to the secret level, that may be able to have a productive conversation.
Barrett: Could you paint the picture of the water problem, in terms of attacks?
Madsen: Let me walk you through a day in the life of the Cyber Army of Russia Reborn. They scan the internet and they're looking for default passwords, unpatched software misconfigurations, and they're looking for it in a particular type of software. It's basically something that allows you to have a remote view into a human user interface. The water sector uses this to have remote access to programmable logic controllers that control the water flow in and out of tanks.
What these actors do is scan broad swaths of the internet, find these vulnerable systems, take advantage of these vulnerabilities, and then they just randomly start manipulating the interface. Sometimes nothing happens. Sometimes something does happen, and we've had several instances where they have caused tanks to overflow or wastewater to be spilled.
You can imagine that there is a public health and safety aspect to this. One of the key messages for this type of threat actor that we've tried to convey to the water sector is, you may be a target. It’s not that they are targeting you explicitly; it's just because you're connected to the internet. And that's a mindset shift, particularly if you're in one of the more rural locations. You've got a lot of things on your plate, and you may not think you're a target, so you think it's okay to take these shortcuts. One of the messages that we've tried to convey from this particular incident is to say: you actually might be a target. And we could see more foreign actors adopting similar tactics in the future.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
