Cybersecurity Tools Are New Targets For Nation-State Hackers

A recent flurry of online espionage campaigns shows high-end hackers increasingly targeting and exploiting the very cybersecurity tools designed to keep them out.

A successful attack on a cybersecurity program offers hackers high-level access to the IT network it’s installed on, opening a path to the computer crown jewels. And those networks tend to belong to the most security-conscious organizations: Government agencies and companies in critical businesses such as banking, telecommunications and electric power – attractive targets for both nation-state hackers and those with financial motivations, such as ransomware gangs.

One recent hacking campaign, attributed by U.S. officials to China, used vulnerabilities in the Fortinet Fortigate firewall, marketed as a next-generation security solution. The hackers sought to establish a stealthy presence in the IT networks of vital service providers such as telecommunications and electricity companies in the U.S. Pacific Island territory of Guam – home to U.S. military bases that would be vital logistics hubs in any conflict with China. Microsoft, which identified the campaign in May, along with U.S. and allied cybersecurity agencies, dubbed the hackers Volt Typhoon.

And in July, two more online espionage campaign breaches were discovered in which the computer networks of U.S. allies were penetrated by intruders exploiting vulnerabilities in cybersecurity products from cyber firms Ivanti and Citrix.

The Volt Typhoon campaign illustrates the way IT networks have become contested and critical terrain in 21st-century great power contests. Hacking the enemy isn’t just about stealing secrets anymore, it’s become a key to victory on the battlefield. Cutting off communications or power to U.S. bases in Guam could be part of a Chinese online pre-emptive attack to cripple the U.S. military’s ability to move forces around the vast Pacific theater, according to U.S. officials.

“What we are starting to see… is targeting that is less about espionage and more about disruption and destruction,” U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said recently when asked about the Volt Typhoon attacks. “In the event of a conflict, China will almost certainly use aggressive cyber operations to go after our critical infrastructure, to include pipelines and rail lines, both to delay military deployments and to induce societal panic,” she told a June 12 event at the Aspen Institute in Washington, DC.

Volt Typhoon and the other hacking campaigns also illustrate the benefits nation state hacker groups can gain by targeting security programs, said Bryan Ware, former CISA assistant director for cybersecurity. It’s “an interesting irony,” said Ware. “The most security conscious organizations become the ones at greatest risk when security products are compromised.”

Militaries, governments and corporations all rely on private sector companies to secure their own systems, and will spend more than $219 billion globally this year on cybersecurity products and services, according to market intelligence firm IDC.

Besides the Volt Typhoon campaign, two other breaches were found this summer:

• The Norwegian government said July 24 that the IT networks of 12 ministries were penetrated by hackers who compromised the Ivanti security software installed on government-issued mobile phones. In August, officials announced the closure of the email and calendar systems for those ministries and their migration to a new platform, which they didn’t name. Once hackers had acquired access to an email server, best practices dictated a move to a new system, according to Geir Arild Engh-Hellesvik, department director at the Norwegian National Security Authority. The clear implication is that the email communications of all 12 ministries were compromised for at least four months.
• As many as 2000 Citrix devices, used to securely scale computer resources across large organizations including government agencies and security-conscious business sectors such as banking and telecommunications, were compromised by hackers during July and August, mainly in Germany, but also in Japan and across the EU, according to cybersecurity researchers Fox-IT. The vulnerability allowed hackers to install back doors in the systems protected by the Citrix devices, which would persist even after the vulnerabilities were patched, according to a warning from German authorities. They have not released any information about which agencies or companies were impacted.

These breaches, while not currently attributable to any particular country, bear all the hallmarks of nation-state hackers, according to ZeroFox, the private sector cybersecurity outfit where Ware is now chief development officer.

“Actors targeting security infrastructure typically have longer-term strategic objectives,” states a ZeroFox intelligence report, “Unlike typical cybercriminals who are prone to rushing their operations to get quick results, these actors demonstrate patience, quietly maintaining their presence in compromised systems and studying their environments” to prepare for whatever mischief they intend to inflict.

Behavior is an important marker that cyber analysts look for to understand who intruders in a system might be. Because the tools, called exploits, that hackers use proliferate so promiscuously, exploit use is generally not a good way to identify an attacker. As soon as cyber defenders discover a new exploit, they make it public – so that other defenders can secure their own networks against it.

But this often means other attackers can now use the exploit as well, muddying the waters for anyone attempting to identify a particular attacker, or even the parameters of a particular campaign – everyone can now use this new weapon in their own hacking campaigns, attacking any of their chosen targets that use the exploited software.

When those attacks are targeted against security software, they illustrate cybersecurity’s equivalent of the Willie Sutton principle, experts say. Just as Sutton famously robbed banks, because “that’s where the money is,” hackers attack security programs because they’re typically used by the most security conscious organizations – and they enjoy high-level trusted access in the systems where they’re installed.

Think of a cybersecurity program like the Iron Dome missile defense system that Israel uses to shoot down rockets fired at its cities, Tomer Bar, vice president of security research at cyber outfit SafeBreach told Newsweek: “But if the attacker can control the system, he can aim the missiles, not at incoming rockets, but at schools or hospitals.”

SafeBreach researchers presented three attacks exploiting that access at August’s annual hacker summer camp in Las Vegas, a confluence of the top U.S. cybersecurity conferences, which this year included a large number of such presentations – focused on security software.

“Security vendors, like any other vendors, will build flaws into their software…There will be bugs in the program,” said Guy Bejerano, SafeBreach CEO. He said SafeBreach researchers, like other white hat hackers presenting at the conference, had worked with the companies whose products they’ve hacked, so that the programming flaws they find, called vulnerabilities, can be fixed, or patched, before the attacks are made public.

But he said researchers were on a “mission to call [security companies] out” to make sure they “are fulfilling their promise.”

Shaun Waterman can be reached at [email protected]. Follow him on Twitter @WatermanReports.