Threat Actors Entrenched in Critical Infrastructure

State sponsored threat actors are now entrenched in critical infrastructure organizations across many countries - that's the conclusion the latest U.S. CISA report makes clear in detail (read the full report here).

CISA is basing its observations on incident response activities at critical infrastructure organizations compromised by a China state-sponsored cyber group known as Volt Typhoon. The agency has been sounding the alarm on Volt Typhoon since last May, when it documented the techniques used to stay hidden within these organizations (see "Living off the land to evade detection").

Although the report does not cover EU critical infrastructure, it is safe to assume the same techniques have yielded persistent access to many organizations in the EU area as well.

Key Takeaway

The main technique used by the threat actor and highlighted in the report is exploitation of known or zero-day vulnerabilities in public-facing network appliances and devices (VPN, web server, reverse proxy, PLC/IoT devices, etc).

That is particularly relevant for the wider Adriatics region we usually cover, as any Shodan scan of the area will easily reveal vulnerable public facing devices are rampant (see here).

That is particularly problematic with SSL-VPN devices which are often left unpatched even months after active exploitation in the wild has been observed.

For example, you will still find Fortinet's widely used appliances sitting on the internet without a critical patch from last June, although the vulnerability (CVE-2023-27997) has been widely exploited by threat actors since (see this example).

Assessing these risks is becoming a critical step for many in the EU, as the NIS2 directive makes it into each country legislation.

So join us on the upcoming webinar where we discuss the road to better security governance and how to automate risk assessments in OT environments with Radiflow.

Register below: