April 12, 2024

😎 TGIF, everyone. Welcome back to Codebook.

  • 🌷 Brb, planning my trip to one of D.C.'s many tulip gardens before the summer humidity sets in.
  • 📬 But first: Have thoughts, feedback or scoops to share? [email protected].

Today's newsletter is 1,398 words, a 5.5-minute read.

1 big thing: China's never-ending threat to U.S. infrastructure

Illustration: Sarah Grillo/Axios

Nearly a year after the U.S. government first named and shamed an ongoing Chinese hacking campaign against American infrastructure, top cybersecurity leaders say the threat is still as palpable as ever.

Why it matters: China's Volt Typhoon group has displayed a persistence that's rare among nation-state hackers, experts say.

What they're saying: "Am I alarmed and do I have heartburn over what Volt Typhoon and what other Chinese actors are capable of doing? Yes, absolutely," Kemba Walden, the former acting national cyber director, said at last week's Verify conference outside San Francisco.

  • "They're motivated, they're creative," she added. "It tells me that we need to continue to focus on the basics."

Catch up quick: Last May, Microsoft and the National Security Agency publicly outlined how Volt Typhoon was stealthily lurking inside American infrastructure — in some cases, maintaining access to those networks for at least five years.

  • Officials have seen evidence of the group targeting electric grid operators, shipping ports and water systems, according to reports.

Threat level: But Volt Typhoon hasn't changed its behavior — even after a series of U.S. congressional hearings, advisories and botnet takedowns, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), told Politico late last month.

Between the lines: Volt Typhoon doesn't rely on sophisticated tactics to break into systems. It's just the group's persistence — paired with many infrastructure operators' lack of resources — that makes this threat unique, experts say.

  • Many of the tactics that Volt Typhoon uses to obfuscate its activities, gain access to a network, and maintain that access are relatively easy for any skilled hacker to do, Ben Read, director of Mandiant's cyber espionage analysis team, told Axios.
  • But clamping down on the activity requires a level of coordination among critical infrastructure operators that doesn't really exist.

Zoom in: For example, the overall U.S. water system has at least 150,000 individual systems, each run by different entities and individuals.

  • To keep Volt Typhoon out, each system operator would need to be able to prioritize software upgrades, password resets and other CISA advice.
  • Most of the country's 16 critical infrastructure sectors are similarly fragmented.

The big picture: American infrastructure has gotten caught up in an increasingly tense relationship between China and the U.S.

  • So long as the fears about Chinese espionage and a potential invasion of Taiwan exist, infrastructure operators will continue to be targets, Tom Pace, CEO of cyber firm NetRise, told Axios.
  • "This is normal nation-state, game-theory shenanigans," said Pace, who previously worked on cybersecurity at the Department of Energy.

Yes, but: David Scott, a special agent in the FBI's cyber division, said at the Verify conference that the country has made a "great deal of progress" in raising awareness across the private sector and in mitigating Volt Typhoon.

  • Rear Adm. Jason Tama, the incoming commander of the U.S. Coast Guard Cyber Command, added that the government's ability to talk openly about the operation has also helped in meetings with infrastructure operators.

The bottom line: Federal agencies recommend operators implement multifactor authentication, enable and regularly review network activity logs, and set up automated threat detection tools.

2. Agencies caught up in Microsoft email breach

Illustration: Annelise Capossela/Axios

Russian intelligence hackers stole emails between federal agencies and Microsoft and potentially collected login credentials during a recent breach of the tech company, a top U.S. cyber official said Thursday.

Why it matters: Microsoft has said that the hacking group, known as Midnight Blizzard, is continuing to target its networks in an effort to steal its source code and its customers' secrets.

  • The U.S. government is heavily reliant on Microsoft's products, including its cloud infrastructure and email servers.

Zoom in: CISA published an emergency directive Thursday requiring affected agencies to study the contents of stolen emails for signs of leaked login information and other sensitive details.

  • Microsoft has also notified "several" federal agencies that their login credentials, session tokens or other authentication data may have been included in those emails, Eric Goldstein, executive assistant director for cybersecurity at CISA, told reporters.
  • Agencies whose login credentials may have been exposed have until the end of the month to reset or deactivate any affected passwords, session tokens and API keys — as well as to study the activity of users whose credentials were exposed for signs of an intrusion.
  • CISA privately issued the directive to affected agencies last week. CyberScoop first reported on the advisory.

Catch up quick: Microsoft reported the Russian hack of its networks back in January when it detected that Midnight Blizzard had accessed some of its executives' email inboxes.

  • Midnight Blizzard first gained access to executives' and other team members' emails via a password spraying attack, where hackers use the same password across different accounts until they're successful.

Yes, but: Microsoft's investigation is still ongoing, and Goldstein said the number of affected agencies could change as the probe continues.

  • Goldstein declined to say how many agencies Microsoft has notified so far.

The big picture: The fallout from the Russian breach comes as Microsoft is facing increased government scrutiny over its internal security practices.

  • Last week, a high-profile government review board released a scathing report calling out Microsoft for "avoidable errors" that allowed Chinese government hackers to infiltrate a Microsoft 365 cloud environment and steal emails from top government officials.

Read the rest

3. House pushes surveillance bill to finish line

Photo: Saul Loeb/AFP via Getty Images

A House bill aimed at reauthorizing Section 702 of the Foreign Intelligence Surveillance Act overcame a procedural hurdle today after heated GOP infighting earlier this week, Axios' Juliegrace Brufke reports.

Why it matters: Leadership agreed to have the bill expire in two years instead of five, arguing that the new timeline would provide them another opportunity to tackle the bill if former President Donald Trump takes back the White House.

  • The bill is expected to pass later today with bipartisan support.

Zoom in: Speaker Mike Johnson (R-La.) and his leadership team worked late into Wednesday evening and Thursday talking to defectors from the bill — which would reauthorize the government's ability to collect online communications from noncitizens abroad.

  • Conservatives cited the exclusion of language on warrant requirements as their reason behind tanking the rule vote Wednesday despite being offered an amendment vote.
  • "It gives a lot of people hope we will get another bite of the apple when Trump's president," one lawmaker said.

The intrigue: The change to the bill came after a fiery conference meeting Wednesday afternoon, with security and privacy hawks sharply divided on the warrant language that remains out of the current bill.

  • Conservatives and Trump blasted the measure, arguing that it does not go far enough to protect Americans' privacy rights and that FISA was used to illegally spy on the Trump campaign.
  • But national security hawks argued the warrant language would hinder the country's ability to assess threats in real time, noting the measure includes an array of reforms to prevent misuse for political purposes.

What's next: If the House passes the latest bill today, the Senate has just one week to take it up and get it to the president's desk before the April 19 reauthorization deadline.

4. Catch up quick

@ D.C.

🇷🇺 The Commerce Department is expected to issue a new rule barring U.S. companies and citizens from using Russia-based Kaspersky's software. (CNN)

🪖 The U.S. Cyber Command initiated nearly two dozen "hunt forward" missions overseas in 2023, its top official told lawmakers. (The Record)

@ Industry

☎️ AT&T now says 51 million former and current customers were affected by a 2019 data breach that the company previously denied happened. (BleepingComputer)

👀 Apple removed the term "state-sponsored" from the spyware threat notifications it provides to individuals whose phones have been targeted, following repeated pressure from the Indian government. (Reuters)

💰 The French government provided cybersecurity company Atos — the main security vendor for the 2024 Summer Olympics — with a €50 million ($53.2 million) loan to avert a shutdown and keep operations afloat. (Politico)

@ Hackers and hacks

⚠️ CISA is urging organizations running business analytics company Sisense's products to reset their credentials as it investigates the scope of a reported attack. (CyberScoop)

💻 Security researchers uncovered an internal Microsoft storage server containing employees' password information that had been exposed to the public internet for an undetermined amount of time. (TechCrunch)

☀️ See y'all Tuesday!

Thanks to Scott Rosenberg for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.