The past year in cybersecurity news was framed by two “typhoons” – Volt Typhoon and Salt Typhoon, the code names given to two massive Chinese state-sponsored attacks on American computer systems.
Volt Typhoon, a threat group linked to the Chinese government that was first identified by Microsoft in May 2023, made big news in February 2024 by penetrating dozens of networks involved in critical American infrastructure, including oil pipelines and power grids.
Volt Typhoon apparently began as a more modest effort to disrupt American computer networks on the island of Guam, perhaps in the context of a potential regional war breaking out between the United States and the People’s Republic of China (PRC). When the hackers’ tactics proved successful, the project expanded, pushing through the continental West Coast and into Texas.
The tactic that worked so well for the PRC’s hacker squads was called “living off the land,” meaning the hackers would penetrate systems without causing any damage right away, or making aggressive moves that could tip off network security teams. Instead, the hackers would lurk in compromised networks, their malware disguised as useful system entities, waiting for orders to strike.
Volt Typhoon was eventually repelled by purging its malware from hundreds of network computers and routers. Another China-backed hacking group called Salt Typhoon struck at the end of 2024, once again targeting critical infrastructure “in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,” as FBI Director Christopher Wray put it.
Salt Typhoon went after telecom systems and Internet providers. In September, cybersecurity investigators revealed Salt Typhoon hackers were “living off the land” in the computer networks of major broadband providers, coming closer than ever to compromising the core routers that manage America’s titanic flow of Internet traffic.
Last Friday, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger revealed Salt Typhoon stole a massive trove of Americans’ cell phone records, penetrating nine major phone providers, including AT&T and Verizon.
Among other mischief, the hackers used their illicit access to “geolocate millions of individuals” by tracking their phones, and to “record phone calls at will” – including calls made by President-elect Donald Trump, his running mate JD Vance, and senior members of the outgoing Biden administration.
Perhaps most disturbingly, Neuberger said some of Salt Typhoon’s targets were still compromised, although cybersecurity teams from the big telecom companies disputed her assessment. Neuberger said Salt Typhoon could not be defeated until the Federal Communications Commission (FCC) formalizes tough new security requirements for phone carriers, and all of the carriers implement those protocols.
There was actually a third typhoon in 2024: Flax Typhoon, an immense botnet created by Chinese state-sponsored hackers that infested some 260,000 routers. The botnet, named “Raptor Train,” was designed to facilitate Distributed Denial of Service (DDoS) attacks – blizzards of malicious network connection attempts that can overwhelm targeted systems and make them inaccessible to legitimate users. The botnet also helped other Chinese state hacking groups burrow into computer networks around the world.
When the FBI took action to disrupt the Raptor Train botnet in September, Flax Typhoon actually struck back against FBI computer systems with a DDoS attack. The counterattack was unsuccessful, so FBI programmers were able to take control of Raptor Train and order the botnet to neutralize itself.
The Cybersecurity and Infrastructure Security Agency (CISA), the U.S. government’s leading electronic security agency, touted its success at “mitigating nation-state threats” from bad actors like China, Russia, North Korea, and Iran in its 2024 year-end review, but the PRC’s three Typhoons demonstrated that sophisticated state-sponsored hackers can wreak a great deal of havoc before their malware is pinpointed and destroyed. The refined ability of these hackers to lurk in systems for months or years before discovery is very unsettling.
Cyber Magazine on Tuesday described 2024 as a “difficult” year for cybersecurity professionals, with a resurgence of ransomware attacks (locking down a computer system until the victims pay ransom for their own data), a wave of DDoS assaults, and “ever more complex social engineering attacks.”
Social engineering is a troubling development because it is not really “hacking” in the conventional sense. Instead of using viruses and hacking tools to brute-force their way into computer systems, cybercriminals use social engineering techniques to trick their victims into trusting them and handing over valuable data, ranging from passwords to bank account numbers.
“Phishing” is one of the most common criminal strategies, tricking victims into compromising themselves with emails that appear to come from legitimate business contacts or personal friends. Social engineers have advanced their dark craft to include realistic-looking websites that harvest information from unsuspecting victims.
Phishing emails and phony websites can be tailored to look trustworthy by stealing a little personal information from targeted organizations or intercepting some of its legitimate email correspondence.
In November, an information technology company called Ivanti, which specializes in supply chain management, released a survey that found social engineering has become nearly as common as traditional malware-based hacking attacks.
Social engineering is hard to defend against, because even the most sophisticated cybersecurity technology can be bypassed if an unsuspecting network user hands the keys to the kingdom over to criminal invaders. Ivanti found a majority of office workers were unaware of the latest cybercrime techniques, including using advanced artificial intelligence (AI) to perfectly simulate the voices of trusted individuals in telephone calls.
In 2023, cybersecurity experts warned about AI becoming a sharp weapon in the hands of hackers. In 2024, AI often became the target of cybercriminals. One of the hot new trends in cybercrime is “LLMjacking,” which means hacking into the large language models (LLMs) that power artificial intelligence systems.
LLMs take a great deal of effort to compile and they are extremely complex, so sabotage can go undetected for quite some time. AI systems are increasingly given control over corporate and government resources, so penetrating an LLM can allow mischievous hackers to steal or abuse valuable electronic commodities, such as cloud server storage space.
Another growing concern is the “supply chain attack,” which refers to a hacking technique, not the target of the hack, although companies involved in vital physical supply chains have certainly been attacked this way.
Like LLMjacking, supply chain attacks are a consequence of the incredibly complex and interconnected electronic environment we now live in. To put it simply, every network and computer application uses a “supply chain” of code and digital resources – nothing is written completely from scratch any more.
Supply chain hacking involves finding the most vulnerable, or most useful, link in the chain and ruthlessly exploiting it. For instance, instead of trying to break into one specific company, hackers could break into a cloud services provider or cybersecurity firm that serves many companies, abusing the trust relationship that exists between clients and vendors.
Modern digital supply chains can be many levels deep, providing many vulnerabilities for hackers to exploit. This is one reason why routers have been targeted by so many cybercriminals, including China’s state-sponsored Typhoon groups.
Compromising a single router can give hackers a back door into dozens of networks; compromising an entire class or model of router can open the door into thousands of networks. State-sponsored hackers demonstrated in 2024 that they have become highly adept at surveying the electronic battlefield and choosing their targets carefully.
