Dissecting How Chinese Hackers Breached Verizon, AT&T and Lumen | WSJ

- So I was struck when news of this whole typhoon story broke by my colleagues at the Journal, description of the attack, and their view that it was potentially catastrophic. In a world in which there are many, many cyber attacks and cyber breaches, that's pretty extreme language. So what makes this particular episode so unusual?

- So I think there are a couple of things that have come out already and, you know, we should recognize that this is early days and the both US government, the communications companies, other parts of the cybersecurity community, are just getting their arms around what exactly happened. But so far we know that China, a likely part of their intelligence apparatus, compromised multiple communications companies. And according to the Wall Street Journal, three of the biggest ones in the country, AT&T, Verizon, and Lumen, were compromised for at a minimum months, potentially longer.

So again, deep access to the most critical communications companies in the country. And in part, they had access to the systems that controlled the way in which the US government requested lawful access under court-ordered warrants. So again, if they have access to that type of information, they potentially have access to other critical and sensitive information on those networks.

And so the idea of the scale of what they can do, the scale of the access, and their ability to remain undetected for months, to me is extremely significant and concerning. And I think that we'll likely learn more about how problematic it truly was. - I hope we learn more.

So it begs the question, how did they do this? - You know, again, we don't know yet. We don't know the way in which they've gotten in, in this case.

But we can see that China has used a variety of tactics to compromise our most critical infrastructure in this country. Sometimes for intelligence gatherings, sometimes the preposition for future disruptive or disruptive attacks. Even just last year, a group associated with China, with the name Storm558, compromised Microsoft in such a way that they had the sign-in keys for basically all of Microsoft Exchange online, the ability to read emails from anyone that they chose to.

So they have demonstrated repeatedly an ability to get into our hardened networks from our most critical companies. - And what is the access route, and what does the edge have to do with that? - Yeah, so, you know, again, it's gonna be different in each context.

In the case of the Storm558 compromise of Microsoft, we still today don't know the initial intrusion vector into that attack. But in other cases, particularly in their pre-positioning on US critical infrastructure, think power companies, water companies, transportation, oil and gas, the vast majority of cases were compromised through vulnerable edge devices. - What do vulnerable edge devices include?

- They could be routers, mail gateways, VPNs. Often have very privileged access onto your network. They're notoriously bad at things like logging, and they are riddled, historically, with vulnerabilities.

Repeatedly, you're seeing cases where- - Is it fair to say that in many cases, these are unmanaged devices, or devices that sort of exist without a formal management structure? - I mean, they are managed, but the way in which they are structured tends to give them a lot of access. And unless you yourself are putting a lot of protections around them, it is proven difficult out of the box.

For example, you can't do the same kind of forensic analysis on those devices that you can do to others. You have to send them back to the manufacturer to have them decrypted to give you better insight in what's happening. And so it puts a lot more burden on the enterprise IT management to, and the security apparatus- - [Steven] Burden on the enterprise, that's the bottom line.

- 100%. I mean, again, these devices, because of the nature of their vulnerabilities and because of the way they're operated and configured, it puts a lot of burden on the users, in this case, the corporate IT departments and corporate CISO offices, to put in place security that's not there outta the box. - So I think one of the most interesting aspects of this story is this discussion of the extent to which routers, Cisco routers, may have been compromised.

What are your thoughts on on that scenario? - Yeah, I mean, according to the Washington Post yesterday when writing about this, they indicated that the Chinese actors had reconfigured Cisco routers to enable exfiltration of information from these wiretap systems. Which both their ability to do that in production environments, their ability to do that without detection for months, demonstrates to me both a really significant set of capabilities that they were operating on, that they knew how to configure those.

- [Steven] That's incredible. - And that they weren't able to do without detection. - Without going too deep into the tech weeds, what does it mean to be able to remotely and, you know, in a secret manner, reconfigure a Cisco router?

- Yeah. - Or someone else's router. - I mean, you know, it requires a real deep understanding of how that network is operating, to be able to understand how to give commands to that router to begin to change without affecting the visibility for the operators to understand that.

It requires their ability to operate in parts of that network so they can move data in and out, particularly out, in this case, without detection. And, you know, I think we're, again, we're still at the early stages of this, and I think particularly with these kind of tactics, where they were able to use the operator's own equipment against them is concerning. - So given what we know or we think we know, what you know, about the situation, what are the takeaways so far for the enterprise?

- Yeah, and again, a lot of these takeaways go back to what the US government has been saying for a while when it comes to China, because of the improved both tactics and capabilities that they're employing, particularly using native administrative applications on networks against the networks itself. One, it requires operators to have much greater, deeper visibility into what's happening on their network so they can establish what is a normal baseline, and when things are happening outside of that baseline. Second, I think as we talked about earlier, protecting your edge.

In an environment where network boundaries are less clear. You've got hybrid cloud on-prem environments. Your ability to understand where your edge is, what kind of devices are operating on that edge, what kind of trust and authentication they have into your network and your ability to secure them is critical.

And third, and probably most important, given the Chinese ability to continue to compromise networks, is the ability to build in operation resilience into your systems. Can you operate in a degraded or disrupted state? And I think as was mentioned earlier on this stage, you know, the CrowdStrike outage was a good demonstration of what China would like to do to us on a bad day, in the eve of conflict.

And we need to be prepared for disruptions to critical IT systems across the country, and can we continue to operate? I think the CrowdStrike outage says it now. - We should talk a lot more about that scenario in a moment.

But I just wanted to see if we can recap those three things for the enterprise are one, focus on the edge, two, resilience, and then three, or in this case, number one. . .

- Was the improved visibility for baseline operations. - Baseline operations. - Particularly for administrative applications on your network.

- Thank you, okay. What role does AI play in all of these tasks? - So, you know, I think that there are places where AI can improve a company's operations.

I would argue that today, you know, a lot of companies are coming out with cyber-enabled AI systems, arguably faster than adversaries are weaponizing AI. But the challenge is I don't think that we have yet seen you know, the best implementations of AI for real cybersecurity. I think that there are still a ways to go in terms of development and implementation.

You know, company I work at now, SentinelOne, has one I think is important for helping SOX be able to improve their ability to integrate data from a variety of different cybersecurity sources, including ones outside of ours. But there is a lot more work to do on AI. It is not a panacea in this case.

It's the types of solutions that need to be engineered into networks are still gonna require people to do some hard work to understand how they architect their networks in a more secure fashion, how they build in protections where they're lacking, how they give themselves the right level of visibility. AI can certainly help with some of those, but it doesn't replace them. - It doesn't fix the problem.

- Not yet. - Just one more question on those three areas where the enterprise needs to drill down. Where do you think the greatest vulnerabilities are?

If you look at companies sort of across the spectrum, where do they tend to to be weakest or need the most work? - You know, I think you're gonna see companies be weak kind of across all three of those areas that I mentioned, but I will continue to, you know, hit on the vulnerable edge, because we have seen that the exploit of choice for both nation states and ransomware groups repeatedly over the past several years. And I would say since the pandemic has moved the workforce more remote, since the edge has gotten fuzzier with the way networks are architected today, we have seen almost every major cybersecurity campaign launched by an adversary, again, nation state or criminal, at some point is gonna exploit those vulnerable edge devices.

And if there is one place to focus in the short term, it's there. - So how do you think companies should think about risk more broadly, especially when it comes to China? - Yeah, I mean, you know, I spent some time in late 2021, early 2022, working with companies both before and after the Russian invasion of Ukraine.

And the one comment that a lot of them made is, particularly ones who had operations in Russia or had some dependence on Russia, that they were scrambling to figure out what to do, how to get out of Russia. I would argue that companies today, if you're not already thinking about what you would do the day after a crisis erupts over Taiwan, you're probably late. Because our business relationships, our technology dependence with China dwarfs what it was for Russia prior to the invasion.

So thinking about your risk profile when it comes to China, thinking about your dependence and your supply chain interactions with China, how do you secure your network that may have touchpoints there, particularly given the aggressive move by Chinese authorities to ask for encryption keys and source code on software for companies operating in China. You need to be thinking about your risk profile today. - What else can the government or should the government do?

It already has restrictions on the import and the export of hardware and software to and from China. Do those policies go far enough? - I mean, those are delaying tactics.

They're designed to slow, not stop China's development of more advanced computers, more advanced technology, more advanced tools. They're working, but China is working very hard to counteract them. They've got aggressive efforts to develop things homegrown, and US is gonna have to stay on top of that if they hope to continue to contain China's technological advancements they plan on using for both civilian and military applications.

I don't think that that stops China from getting where they want to be. It may just affect the timeline for getting there. - What do you think that these attacks tell us about the potential for military complication between China and Taiwan, China and the US, China and any other country?

- So you know, these, you know, this operation against communications companies is largely, we believe, from looking at it from the outside, an intelligence-gathering operation. Something that they've done for a long time, they've just have scored a major success getting, you know, our biggest communications companies. That being said, and US officials have talked about this publicly, you know, Xi has given direction to the PLA to be prepared militarily to retake Taiwan in 2027.

Now, whether they get there, whether they are ready, and whether he believes the generals when they tell him that they're ready is an open question. But they're operating on a 2027 timeline to be ready. And that means on our end, we need to be equally prepared, both inside the United States, but as well as with our partners and allies in Asia that may be confronted with that type of crisis.

So time is not on our side, and we need to be doing everything we can to be as ready as possible. And it's why when I talked about companies needing to be cited on the fact that they need to understand their risk posture when it comes to China, that there is no time to wait. - I wanna follow up on what exactly being more ready entails, but I also wanted to just see if there are any questions from the audience.

If you do, yes, please, Tim. - [Tim] Hi, Tim, hello, okay. Tim Crawford with AVOA.

So what is to prevent, oh. Okay, we'll switch to one that works. Tim Crawford with AVOA.

So my question is, it's one thing when we start talking about activities that are coming from offshore to the US, but what's to prevent things from actually germinating within the borders of the US, even if it is funded by nation states? You know, we talk about, you know, maybe more, in other ways we talk about sleeper cells. But you could potentially have the same kind of situation taking place within some of these high-performance computing environments that now have access to networks and activities that you have that kind of natural boundary if they're coming from overseas.

- So a couple of points. One, you know, most attacks against our critical infrastructure, including from the Chinese government, may originate overseas, but they're gonna be operating through our own infrastructure. So if we look at some of the operations that the US government has taken to disrupt Chinese net obfuscation networks, those are largely taking down US small and home office routers that are being used to actually attack US critical infrastructure.

They're just the path that the Chinese go through. Second, you know, the insider threat picture is equally concerning. I think you've seen more recently cases, in this case, not China, but more often than not North Korean, putting IT workers to be hired by US companies who give them privileged access inside of these, or in some cases they'll be masquerading as an employee from a third country, but they're really gonna be a North Korean IT worker.

So that is real, and US companies right now today are dealing with that. But they're hiring workers that they think pass the clean bill of health, but they're actually North Korean government cybersecurity workers who are both maybe doing some work on the side, but more importantly, they're using their access to get hard currency for the country, or- - I wanna go to one more question. - Sure.

- I believe there's one more question in the back. Yes, please. - Great, thank you.

Sabina Ewing, Abbott. So given that I think the FBI states it at 100 to 1 when we look at the competition of the coverage in China, they could put 10 million people on this, you name it. How, from your government experience, and now at SentinelOne, is the cyber tech advocating for more of a Truman Doctrine type approach to how we go after nation state engagement?

'Cause I don't know about anybody else in the room, but when I think about my cyber workforce, I don't have a million people to put against it. And if a tank, I often say if a tank rolled up to the headquarters of Abbott, right, I would be expecting, in a kinetic situation, the US government to respond, whereas right now I have to have a anti-tank missile, in the equivalency, for cyber. So I'm just curious how you all see that.

- Yeah, no, I appreciate that, and I, you know, I like to say that, you know, in the next conflict, the the private sector is not on the front line, it is the front line. That is the fact in cyber, that things are gonna go after are the private sector, that's what we're seeing today. It is also true that we are never gonna match China for total capacity, given what they're throwing at these problems.

They have the ability to walk and chew gum at the same time to continue to expand their intelligence gathering at the same time that they're expanding their ability to target networks for future attack and disruption. I think what separates us from them is innovation that's happening here, and the vibrancy of our private sector community. They don't have the same type of vibrant private sector cybersecurity community that we do.

And oftentimes, that's gonna be the difference between success or failure to us. And if we're able to continue to innovate and look for ways to scale our solutions across our entire country, that's the way in which we're gonna compete with China when it comes to cyber. Being smarter, focusing on what matters, being ruthless about prioritization, and ultimately working between government and industry to use all the innovation we can, protect our most critical systems.

It is gonna require that type of cooperation. No company should expect to operate on their own against the nation state, but a lot of the burden is gonna be on you. And the government should be there to help and assist where it can.

It can do things that the private can't, like disrupting operations overseas, disrupting their operational infrastructure, making it harder for them to operate. But ultimately, working together with industry I think is our best hope of meeting the challenge that we face ahead of us.