NSA: Nation state actors aren't after your data — they want your OT

Companies in the crosshairs of advanced persistent threat (APT) actors need to worry about more than just data theft and industrial espionage, as hacking crews backed by Russia, China and other adversaries focus on the goal of disrupting the operation of critical infrastructure, industries and the U.S. military, the U.S. National Security Agency (NSA) told attendees at the annual RSA Conference in San Francisco.

NSA’s Cybersecurity Director, David Luber, said in an RSAC session called “State of the Hack” on Wednesday that, as result of this move by APT actors beyond data theft as a primary driver, companies need to look deeper and longer for signs of compromise than they might have previously assumed. That should include retaining logs for longer, and devoting more resources to analyzing their contents to spot irregularities, Luber said.

Luber was joined on stage by former NSA Cybersecurity Director Rob Joyce, who discussed the current state of exploitation across the internet, including observations about state-based actors and criminal entities.

Sophisticated state hackers that are targeting critical infrastructure and other high-value targets in the U.S. and elsewhere are more interested in persistence on sensitive networks, and in developing an intimate understanding of how those networks operate – rather than in espionage and the theft of sensitive intelligence, Joyce described to the audience.

They want to understand the topology and the capability of [Operational Technology] systems. [The goal is] to disrupt business processes at a time of their choosing.

Rob Joyce

See special report: The State of Software Supply Chain Security 2024Get the full report

'Think differently' about how to look for evidence of compromises

Joyce said that the attackers the NSA is tracking often go quiet after establishing a presence in target environments, making them hard to detect among the noise of ordinary network activity. “They can burrow deep and come in every 15 or 20 days just to confirm that the (network) topology hasn’t changed significantly,” Joyce said.

Furthermore, those check-ins by APT groups may take place using legitimate credentials from a compromised or hacker-controlled account and during normal business hours, making it far more difficult for organizations to flag suspicious behavior. That means organizations that are trained to look for telltale threat actor behaviors like data exfiltration, or patterns of communications to command and control (C2) networks or sanctioned nations are unlikely to see any alarms triggered, Joyce said.

In response, the current and former NSA Cybersecurity Directors urged attendees to “think differently” about how they look for evidence of compromises: retaining logs for much longer and devoting more attention to analyzing their contents for subtle signs of compromise.

The talk was part of a larger effort to sound alarms about the forays of foreign adversaries onto the networks of U.S. firms and critical infrastructure owners and operators. On May 1st, for example, the NSA issued an “Urgent Warning” regarding threats to OT systems. In it, the NSA along with CISA, the FBI, the U.S. Department of Energy (DOE) and other agencies warned that “pro-Russia hacktivists are conducting malicious cyber activity against operational technology (OT) devices and critical infrastructure organizations." The hacktivists are attacking and compromising what were described as “small-scale OT systems in North American and European Water and Wastewater Systems (WWS), dams, energy, and food and agriculture sectors.”

While those attacks were characterized as “unsophisticated,” the agencies warned that the threat actors “are capable of techniques that pose physical threats against insecure and misconfigured OT environments,” including manipulating human-machine interfaces (HMIs) used to control water pumps and blower equipment, in order to make them exceed their normal operating parameters, turning of alerts and warnings and changing administrative passwords to lock out the operators.

Luber declined to speak in detail about specific incidents, but said sectors like transportation, energy and government agencies are all being targeted. Joyce added that organizations that had “capabilities that might help the U.S. military mobilize to Southeast Asia” were particular targets of nation-state actors, and should be on alert.

State-backed APT actors are also targeting civilian infrastructure

State actors are also exploiting weaknesses in civilian infrastructure in the U.S., Europe and other nations to further their campaign. For example, Chinese APT groups like Volt Typhoon have exploited unsupported and “end of life” small office and home office (SOHO) broadband routers and other edge devices, assembling massive botnets that are used to disguise the origins of malicious attacks.

That means security teams looking for traffic to and from systems in China, Russia or other sanctioned countries as evidence of a compromise may be surprised to see attacks coming from residential IP addresses within their country, instead.

No professional group is going straight out of those countries.

Rob Joyce

To counter the threat posed by these persistent, quiet compromises, organizations should invest in stronger identity management and authentication technologies to shore up the security of employee accounts. They should also prepare security teams for increasingly sophisticated phishing attacks that leverage the use of artificial intelligence. Finally, organizations should also dig deep into log files to look for patterns of activity that can't be accounted for -including access attempts from low value edge devices like residential routers, which are being compromised by state actors and used as part of large botnets that support targeted attacks, Joyce and Luber said.