What better way to celebrate Cyber Security Awareness Month than with news of our lack of awareness? From the Wall Street Journal (October 5, 2024):
A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.
For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.
Verizon Communications, AT&T and Lumen Technologies are among the companies whose networks were breached by the recently discovered intrusion, the people said.
When a judge approves a FISA wiretap request, the U.S. government enters the networks of Verizon, AT&T, etc., through its own special back door. For, you see, “The US has long pressured telecom companies to develop infrastructure for ‘lawful interception’ so that they can access communications from network users; but of course, if the access systems exist, they can be exploited.”
Infrastructure for “lawful interception” is just as available for unlawful interception.
Open to Typhoons
In April 2024, H.R.7888 was rushed through Congress to become Public Law No. 118-49, which reauthorized “a controversial spying law, referred to as Section 702 of the Foreign Intelligence Surveillance Act (FISA). Not only did the House expand its mandate for at least two more years, but it also widened its reach considerably.”
Some call it the Make Everyone a Spy Act because of the way it expands definitions of U.S. electronic communication service providers down to the level of home routers and other household devices. In the view of Senator Ron Wyden, the provision “is not necessary, and there’s certainly no justification for this vast expansion of surveillance authorities.”
This expansion of the meaning of “service provider” is now in the service of communists and other rogues with enough skill to discover and enter Washington’s back doors. As TechRadar puts it, “In an all too predictable turn of events, Salt Typhoon…has reportedly hijacked government systems to breach several American broadband providers and gain access to the interception portals required by US law.”
Salt Typhoon is not an actor. It is Microsoft’s designation for a cyber operation. The federal government uses these designations as well. Operations may correspond to specific teams or they may overlap teams or even duplicate teams. Salt Typhoon was preceded or accompanied by Brass Typhoon, Volt Typhoon, and Flax Typhoon.
Volt Typhoon has been better known until now. The focus of Volt seems industrial: “These adversaries compromised U.S. organizations, especially in the communications, energy, transportation, and water and wastewater systems sectors.” The hackers use “hands-on-keyboard activity…to maintain and expand access to the victim networks.”
Morgan Adamski, director of the National Security Agency (NSA) Cybersecurity Collaboration Center, says that Volt Typhoon “is not a ‘this month’ problem. It is going to be a problem for multiple years, and we are seeing Volt Typhoon activity every single day. We are learning about new intrusions.”
Things, etc.
Then there’s Flax Typhoon.
Has the Internet of Things captured your imagination? Got a kitchen with appliances that communicate? You’ll be sharing them with Flax Typhoon’s massive botnet.
Federal “government agencies accused the Flax Typhoon crew of amassing an SQL database containing details of 1.2 million records on compromised and hijacked devices that they had either previously used or were currently using for the botnet.”
In September, the Department of Justice announced that it had disrupted a Flax botnet of more than 200,000 consumer devices, “including small-office/home-office routers, internet protocol cameras, digital video recorders, and network-attached storage devices.”
Public Law 118-49 allows federal access into those devices too. So it’s going to become an Internet of Things and Intruders.
“As described in court documents unsealed in the Western District of Pennsylvania, the botnet devices were infected by People’s Republic of China state-sponsored hackers working for Integrity Technology Group, a company based in Beijing.”
This Integrity Technology, a publicly traded firm, has a listed address, it issues press releases and advertises its services to the public. With 17 intelligence agencies at its beck and call, the United States should be able to detect everything coming in or going out of that address. Hmm.
According to the Department of Justice, “The company built an online application allowing its customers to log in and control specified infected victim devices, including with a menu of malicious cyber commands using a tool called ‘vulnerability-arsenal.’ The online application was prominently labelled ‘KRLab,’ one of the main public brands used by Integrity Technology Group.”
Integrity Technology sells the fruits of its hacking to the highest bidder. It wins business from Hong Kong, for instance, to sell cyber security services. It’s listed on stock analysis sites with no whisper of impropriety. Simply Wall St. reports that it “provides network security solutions in China.”
To do
Security consultant Dakota Cary says that Integrity Technology is “involved in many of China’s most important programs and efforts to improve its hacking capabilities. The [public] naming of the company” by Justice “demonstrates allied governments’ visibility into China’s operations” and enables researchers to investigate the company further.
What to do? For a start: close the back doors. The next chance to sunset Public Law No: 118-49 comes in less than two years. Meanwhile, we have a company, its address, its stock, more. But we’re combatting its projects while leaving the firm itself alone.
It doesn’t have to be this hard. □
James Roth works for a major defense contractor in Virginia.
