Re-posted with permission from https://xage.com/blog/cyber-attack-news-2024-attacks-on-critical-infrastructure/
This year, critical infrastructure faced an unprecedented surge in cyberattacks, exposing vulnerabilities across industries vital to our economy, security, and daily lives. From nation-state actors targeting telecommunications networks and energy grids to ransomware disrupting healthcare and financial services, the threats grew in both scale and sophistication.
In response, governments, agencies, and organizations began to strengthen their defenses, with new regulations, collaborative guidance, and calls for a shift toward proactive cybersecurity measures. Yet, as the attacks of 2024 demonstrate, there is still much work to be done.
Nation-State Threats Dominate Critical Infrastructure Attacks
No discussion of this year’s critical infrastructure attacks can begin without addressing the headline-grabbing campaign by the Chinese state-sponsored hacking group Volt Typhoon. The group targeted the IT infrastructure supporting critical systems in the U.S., including energy grids, transportation networks, and more. While their campaign came to light this year, researchers believe Volt Typhoon had been entrenched in these networks long before. The group’s hallmark use of “living off the land” (LOTL) techniques made detection and mitigation particularly challenging.
In response to the Volt Typhoon campaign, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert detailing widespread compromises across critical infrastructure. While the alert included recommended defenses, the campaign’s impact lingered for months. In August, researchers linked Volt Typhoon to the exploitation of zero-day vulnerabilities in U.S. internet provider Versa. The incident sparked controversy when Versa shifted blame onto customers, citing inadequate cyber hardening and the exposure of management ports as key vulnerabilities.
Volt Typhoon remains an active threat, continuing to infiltrate and maintain access to critical infrastructure, including energy and transportation systems.
Attacks on critical infrastructure were rampant in 2024, with entry points ranging from IT systems to industrial control systems (ICS). In April, three zero-day vulnerabilities in Cisco security products—collectively known as ArcaneDoor—were disclosed. These vulnerabilities were actively exploited to install backdoors in government agencies worldwide, an effort attributed to Chinese nation-state actors.
By July, a new malware variant, FrostyGoop, was discovered targeting ICS environments by exploiting the Modbus protocol, further underscoring the evolving threats to operational technology. These attacks provide just a glimpse of the mounting risks to critical infrastructure.
Government Response
Attacks on critical infrastructure continued to highlight the poor state of security in these industries throughout 2024, with a notable uptick in both the volume and severity of incidents. In response, the year saw a surge of government rulings and guidance aimed at addressing these vulnerabilities.
In April, CISA introduced new rules for incident reporting in critical infrastructure sectors, opening them for public comment. Secretary of Homeland Security Alejandro Mayorkas emphasized the importance of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), stating in an interview with The Record: “CIRCIA enhances our ability to spot trends, assist victims of cyber incidents, and rapidly share information with other potential targets, driving risk reduction across all critical infrastructure sectors.”
However, some cybersecurity experts expressed concerns that the proposed rules could prove overly complex and burdensome.
The conversation intensified in May following high-profile state-sponsored attacks, such as the Volt Typhoon campaign. In response, the White House issued a national security memo on critical infrastructure cybersecurity, focusing on enhancing the security and resilience of U.S. systems.
By June, CISA expanded its efforts by collaborating with international organizations to release guidance on securing modern network access. Key recommendations included adopting zero trust architectures, moving away from VPNs due to inherent vulnerabilities, and strengthening remote access security. These measures gained urgency as VPN access came under scrutiny following multiple high-profile attacks throughout the year.
Firewalls: From Gatekeepers to Gateways
Firewalls found themselves at the center of significant compromises and exploits in 2024.
In October, a zero-day vulnerability in Fortinet’s FortiManager platform—used to manage Fortinet devices such as FortiGate firewalls—was officially disclosed. This flaw allowed attackers to enable remote code execution (RCE) and gain full control over FortiManager and the devices it managed. While the exploit didn’t directly target VPNs, an attacker who compromised FortiManager could alter managed device configurations, potentially impacting VPN and firewall settings and causing cascading network vulnerabilities.
Palo Alto Networks wasn’t spared either, with a string of vulnerabilities surfacing throughout the year. In April, the company disclosed a critical PAN-OS vulnerability (CVE-2024-0024) that allowed attackers to bypass authentication and gain administrative control via the web interface. Actively exploited in the wild, the flaw prompted urgent patches and recommendations to restrict web interface access and enforce MFA.
In October, researchers uncovered a chain of vulnerabilities in Palo Alto Networks’ Expedition tool, which, when combined, could let attackers access database contents and write files to the system, exposing cleartext passwords, device configurations, and API keys for PAN-OS firewalls. Then, in November, Palo Alto issued another advisory for a critical vulnerability in their next-generation firewalls that enabled attackers to bypass authentication and gain administrative access via the management interface, posing a risk to affected organizations.
Vulnerabilities like these carry profound consequences, including the potential to endanger human lives. A stark example occurred in 2020, when Sichuan Silence Information Technology—a Chinese cybersecurity company closely tied to PRC intelligence agencies—exploited a zero-day vulnerability in Sophos firewalls. By leveraging this flaw, Sichuan Silence compromised over 80,000 firewalls globally, including 23,000 in the United States.
Among the affected targets were 36 organizations in U.S. critical infrastructure sectors, most notably an energy company actively drilling at the time of the attack. The incident had the potential to cause catastrophic loss of life.
This month, the United States issued sanctions against the entities responsible for these attacks. While sanctions often feel like a game of whack-a-mole, this action highlights the relentless challenge posed by foreign interference in U.S. critical infrastructure and underscores the severe stakes involved.