China-linked attackers are successfully targeting network security devices, worrying officials

SAN FRANCISCO — China-linked attackers are exploiting zero-day vulnerabilities and using the defensive gaps in network security devices to gain persistent access to U.S. critical infrastructure organizations and enterprises, experts said Monday at the RSA Conference.

Espionage groups linked to China are identifying, researching and exploiting the most zero-day vulnerabilities out there, and they’re focusing on devices that typically don’t support endpoint detection and response, said Charles Carmakal, CTO at Mandiant Consulting, Google Cloud.

Network security devices, including routers, firewalls, VPNs and VMware hypervisors, don’t allow administrators to log into a device, view the operating system command line and see files running on the system, Carmakal said at a Google Security threat intelligence panel during the conference.

Because of this gap, victim organizations rarely discover that a malicious actor has compromised their devices and deployed malware. These undetected intrusions allow attackers to gain long-term access within a victim environment.

Intrusions by the state-sponsored threat group Volt Typhoon and other China-linked groups are part of an extensive effort to maneuver in preparation for future attacks, federal authorities warned earlier this year. 

Volt Typhoon has already embedded itself inside the systems of multiple critical infrastructure organizations using living off the land techniques that obscure malicious activity. 

“The Chinese threat absolutely is the one that is keeping us awake every night,” Brandon Wales, executive director at the Cybersecurity and Infrastructure Security Agency, said on stage at an Axios event during the RSA Conference. 

 The threat from China-linked attackers is driving action at the government level because “they’re looking to cause systemic harm to this country to preposition only for attack and destruction,” Wales said. “The scale of China’s cyberattack capability is so immense and growing that it has to be front of mind for us.”

CISA has visited numerous critical infrastructure organizations to learn more about China’s cyber activities. “In every single case they got in through vulnerable edge devices on those networks,” Wales said. 

“If we want to make a measurable impact, if we want to make it harder for the Chinese to be ready to disrupt or destroy U.S. critical infrastructure, it starts with making those products harder to attack, making them easier to secure and making it easier for our critical infrastructure to secure themselves,” Wales said.