Ep 8: Living Off The Land

34m
Cyber experts start getting called into electric, water, pipeline, railway, and transportation hubs around the country. Hackers have found a clever way to embed in these systems, using a small, unsuspecting device in everyday Americans’ homes. And once these hackers get in, they’re not dropping the usual malware, or sucking much of any data out. Unlike their predecessors, these hackers are very careful to cover their tracks. It appears they’re just lying in wait. Sleeper cells waiting for marching orders. So what’s the trigger? And what happens if they pull it?

Listen and follow along

Transcript

It's 2020.

We start spotting Chinese hackers tucked deep inside our infrastructure, quiet, patient, just waiting.

The industry calls this living off the land, but don't let that rustic name fool you.

These hacks are far from harmless.

They're sleeper cells waiting for marching orders.

We just didn't know what exactly.

Here's Kevin Mandia.

And all of a sudden, we see Chinese threat groups since about late 2020, at least from my observables, hack in and we don't know why, because they're not the tank through the cornfield.

They're hacking in and just, that's it.

There's no other activity.

And then you're like, why are they there?

You know, and it's maybe they have access later.

Maybe it's to mine user IDs and passphrases.

You know, there's no better way to compromise any organization than you can just log in, period.

It's the best way to breach an organization is log into it the same way the employees do.

There's just no evidence.

And that's what living off the land means.

There's no malicious code.

There's no back door.

There's good operational security.

If they created a log file that's suspicious, they would edit it.

When they wanted to go surreptitious, they were good at it.

And that's the thing about digital evidence.

You can edit it or delete it.

You can change it.

You know, it's different than the physical world.

You can do some wonderful things if you're on offense and you have the patience and time and skill to do it.

By this point, you almost certainly understand that the CCP absolutely has the patience, time, and skill.

But in theory, so do we.

So how did we let it get this far?

How did we allow China's hackers to so intimately invade our most critical infrastructure?

I'm Nicole Prolaroth, and this is to catch a thief.

The answer to that question of how we let things get this out of hand is where a number of trends converge.

I've walked you through China's hacking advancements and the creeping emergency of global supply chains, but what made this the perfect storm was our uniquely American blind spots.

For one, despite the impression left by Snowden, the NSA and other U.S.

intelligence agencies aren't actually in your private networks, watching what you do, or in this case, what Chinese hackers are doing.

Not without running straight into the Fourth Amendment.

The NSA is a foreign intelligence agency.

It hunts for threats abroad.

Its charter doesn't allow it to hunt for hackers on private American networks, not without a warrant or a special court order.

And what you need to understand is that the vast majority of U.S.

critical infrastructure, pipelines, the power grid, water, hospitals, more than 80%

of it is in private sector hands, meaning the government has no visibility into it.

They can't deflect attacks on those private systems or even hunt there.

unless they've got a court order or they're invited in.

To a large degree, when it comes to these living off the land attacks, we're flying blind.

Our second big gaping vulnerability is that the United States is among the most digitally dependent nations on earth.

We've been baking technology, code, into

everything, with security as little more than an afterthought.

We let software eat the world.

And we did it with this quote-unquote move fast and break things approach, as Mark Zuckerberg coined Facebook's motto in its early days.

The idea was just get the application, get the code, get the router to market, and we can worry about the bugs and security issues later.

What this means, in effect, is that we've been plugging vulnerable software and hardware into our infrastructure with little, if any, security baked in by default.

And then we leave it to these businesses and critical infrastructure operators like Nick Lawler and Littleton to figure out the security piece on the back end.

The people who designed routers never thought that one day they'd be the linchpin for advanced nation-state attacks.

And China has been using all of this to its advantage.

Because by 2020, most Americans had grown somewhat wise to China's ways.

If an IT operator picked up some unnerving traffic coming from a Chinese server, they knew to look into it.

But Volt Typhoon, these Chinese infrastructure hackers, they weren't breaking in from Chinese servers anymore.

They're coming in from routers inside the country, precisely where our intelligence agencies can't look.

Remember way back in episode three, Kate Machine and Welding, when China's hackers broke in and used the Wisconsin welding shop server to hack major American businesses?

Well, China's living off the land hackers are running the same playbook.

Only now they're using Americans' home routers.

Here's John Holtquist, Mandiant's chief intelligence analyst.

They're coming out of SOHO routers.

So your home office, your small office router, they are literally going out.

A lot of them have vulnerabilities.

That last bit, it's an understatement.

Volt Typhoon made a habit out of targeting home routers that, as I was saying earlier, were sold without security baked in.

To break into these routers, hackers only need to type in the default password, usually admin.

And even if the user has bothered to change the password, These routers are riddled with vulnerabilities.

And in too many cases, they've reached quote-unquote end of life, which basically means that even when we detect a vulnerability, there is no patch to install, no technical support.

They're just sitting ducks.

And by 2020, China's Volt Typhoon hackers started capturing these home routers en masse and using them as a launch pad to infiltrate U.S.

critical infrastructure.

They go out, they capture these routers, and they build them into a botnet.

Think of a botnet like the iconic Spider-Man villain, Doc Ock,

that evil mastermind who wields his robotic, tentacle-like arms.

Only in this case, his tentacles are hooked into hundreds, thousands of these vulnerable home routers, commanding them to infiltrate America's critical infrastructure.

And these zombie routers, they're just dusty, ordinary-looking devices in living rooms and small offices, quietly moving packets for Chinese state hackers halfway across the world.

Cyber experts have a Marvel-esque name for these compromised routers.

They call them orbs, short for operational relay boxes.

So, literally, you could be home right now baking apple pie and have zero idea that your home router is being used by China as a conduit to hack the U.S.

power grid.

From China's point of view, this approach is elegant.

From ours, it's dangerous.

For one, it's the perfect disguise.

What they're doing is instead of traversing through systems that they have to buy and set up, they're traversing through these stolen compromised systems.

And that means instead of coming from China, they can look like they're coming right from down the street.

It's like the Wisconsin welding shop leveled up.

Same idea.

Just imagine that scaled up.

So instead of just coming through that one, you know, or a handful of those compromised systems, imagine just going out and getting hundreds of them.

And it's not just one botnet using these orbs to hack us.

China has employed nearly a dozen that we know about.

They're managed by mid-level Chinese contractors like iSun and Chengdu 404, who lease them out to Volt Typhoon and these other Chinese APTs.

It's layers on layers, like a hall of mirrors, each one giving Beijing just enough distance to shrug and say, wasn't us.

There's just a ton of operations where they're setting this stuff up and different teams are sharing it.

And it makes it really hard to tell what's what, right?

And figure out what you're looking at.

But it's the same exact idea.

These compromised system is a great way to sort of hide your tracks and and unfortunately this this sort of router focus game is is a really good way to do that

second routers are easily replaceable if one gets burned hackers can just hop to the one next door They can pick a router that's right next to you and looks completely natural for your network.

And the great thing about also is that tomorrow they can burn it and go to a new one.

And so from my perspective, somebody who tries to track this stuff, it makes it really hard.

Third, these routers are really hard to monitor.

Rarely do they have logs or any kind of security.

Voltaiphoon has used routers from U.S.

companies like Cisco, Fortinet, NetHere, and others.

Many of them unpatched, still running those default passwords, or others that have reached end of life and been abandoned by their vendors.

But these days, American brands are getting squeezed out by a Chinese giant.

The world's largest network and communication equipment manufacturers, TP-Link maintains building production bases all over the world.

TP-Link is committed to creating reliable products and technologies to link global users to a better life.

While the White House dithers back and forth on TikTok, few Americans have ever even heard of TP-Link.

And I get it.

When you buy a home router, you don't care what brand you get.

You just want it to work.

TP-Link's routers are ubiquitous and easily forgotten.

If you've bought a home or small office router recently, chances are your data is flowing through TP-Link.

In fact, go on Amazon right now.

Search the words home router.

And Amazon's overall pick is a tp-Link router.

It's by far the cheapest option, as in less than half the cost of its next closest competitor.

TP-Link's share of the U.S.

router market has exploded from 10% in 2019 to over 60%

today.

That's according to the Wall Street Journal, which found that TP-Link's share of next-gen Wi-Fi systems is even higher, 80%.

And as early as October 2023, China's Volt Typhoon hackers started using TP-Link routers to burrow into U.S.

infrastructure.

Now, to be clear, TP-Link isn't the only brand they've used.

But what makes TP-Link different is this.

It's a Chinese company.

It was started by two Chinese brothers and for three decades operated from Shenzhen.

But last year, TP-Link split in two.

One base stayed in China, while the other moved its new official headquarters to Irvine, California to serve the U.S.

market.

TP-Link wants you to believe this split means it's no longer Chinese.

And as this episode was coming together, TP-Link's general counsel sent me a tersely worded message saying, quote, any claim TP-Link is a Chinese company is, quote, unlawful and legally actionable.

According to this lawyer, quote, TP-Link is a U.S.-based company that manufactures routers for the U.S.

market in Vietnam.

But a week after TP-Link's lawyers put me on notice, Bloomberg published its own investigation, which found that Vietnam is effectively just a final assembly point, their words, that only half a percent of TP-Link's components come from Vietnam.

The rest are still imported from China.

And then there's what Rob Joyce, the NSA's former cybersecurity chief, testified to Congress and told our live panel podcast in March.

He testified that TP-Link's push into the U.S.

isn't just smart business.

It's strategic.

Rob told us the company is selling its routers at a loss, a deliberate move to flood the U.S.

with cheap routers and build what he called a PRC platform.

How have they achieved this miraculous growth?

They appear to be selling at price points below profitability to drive out our Western competition.

TP-Link routers were among the various brands exploited by Chinese state-sponsored hackers in the massive Volt, Flax, and Salt Typhoon attacks.

Imagine these routers in the homes and businesses across America as a PRC platform to launch society-panicking cyber attacks.

This is a threat we cannot ignore.

The company is selling them at unprofitable levels and they're driving out the Western and U.S.

manufacturers.

It's exponential growth.

And now they they have these routers in all of our homes that the software is maintained and updated out of China.

Whether TP-Link is complicit in these hacks or not today, at any point the Chinese government can go under their Intel laws and direct that company to support them and issue an update that either bricks a massive amount of our critical infrastructure, people's ability to get on the internet if they want to attack, or makes them even better

bounces and redirectors for them to do their operations through.

It's a huge problem, Nicole.

It reminded me of that line from Huawei's founder.

A country without its own program-controlled switches is like one without an army.

TP-Link disputes all of this and emphasizes that its security is on par, if not better than leading routers.

That said, a recent Microsoft assessment took a careful look at one of these Chinese botnets.

They call it Covert Network 1658, and it's used by multiple Chinese APTs.

Microsoft determined it was comprised of 8,000 compromised devices, the vast majority of them TP-Link.

Now, that could just come back to the fact that more Americans are using TP-Link routers than ever before.

Or it could not.

U.S.

investigators are now probing just how closely TP-Link Systems Inc., the new American incarnation of the company, is tied to China.

And if they find it presents a, quote, unacceptable risk, Washington could use new authorities to ban TP-Link from the U.S.

Politicians across the aisle are now zeroing in on the issue.

Here's Democratic Congressman Raja Krishnamurthy at a hearing on cyber threats in March.

For context, he's holding up a TP-Link router.

You can actually buy one of these things for $20 online, but don't use this.

Okay, don't put it in your critical infrastructure.

I don't have one at home either.

It's not a good idea.

TP-Link's routers, I should note here, aren't just sold on Amazon.

They're everywhere.

In fact, if you go to any U.S.

military base and head to the commissary, you'll find TP-Link routers featured prominently on the shelves.

But the routers are just the first step in breaking into U.S.

infrastructure.

It's what these hackers do or don't do once they're in that makes these attacks really difficult to detect.

Once they're in, they often don't act immediately.

In some cases, they lie completely dormant on a victim's networks for 60, sometimes 90 days, which puts them well outside the period most companies even keep logs or can flag anything unusual.

Here's John Holquist again.

We lose half the IOCs to this battle, right?

We lose all the network-related IOCs, particularly in relation to Volt Typhoon activity.

They're living off the land.

IOC.

Indicators of compromise.

That's TechSpeak for the digital crumbs, artifacts, and other clues that indicate you've been breached.

And Volt Typhoon has figured out how to leave as few crumbs or IOCs as possible.

Here's Kevin Mandia.

I think that's what's happening here, and that's why there's been additional concern.

It's way harder to investigate.

So when Mandian folks go out to figure out what happened and you're up against a group like Volt Typhoon, you know they're there.

You see these terrible little scraps of, yeah, they looked at this one file, but you know they looked at 10,000 files and the evidence has only given you the one.

And you're like, oh my God, I'm getting less than 1% visibility into what they're doing here.

And unless you have great identity security, great identity monitoring, you're not going to catch these folks that live off the land.

And that phrase, I'm going to explain it again, it means the attackers are accessing an organization's network the same way the organization does, period.

Same user IDs, same passphrases, same programs.

There's nothing special.

They've learned your network so well that they look like they're part of your network.

And that's really hard to investigate.

It's not impossible, but it does change how we look at things.

We have to do transits a little differently.

After Telvent, China's infrastructure hackers started coming for other pipeline operations across the country.

But in 2020, they started hacking U.S.

infrastructure with an unnerving frequency.

Something had changed.

Something set them off.

We have waged a fierce battle against the invisible enemy, the China virus.

or against the Chinese virus.

It's a disease, without question, has more names than any disease in history.

I can name

Kung Flu.

You might recall from episode one, the CCP is obsessive about image control.

It's why they hacked Google.

It's why Xi agreed to the 2015 cyber detente.

The CCP weren't willing to risk the embarrassment of the White House canceling Xi's first official trip or risk being greeted with sanctions.

It's impossible to say what set them off in 2020.

You'd have to be a fly on the CCP's wall.

Maybe they were set off by the mocking.

Maybe it was the isolation and undercurrents of suspicion that dominated COVID.

If we were already looking at each other through straws, then after COVID, we were now looking through needles, as Tom Friedman, the Times columnist, puts it.

Whatever it was, in 2020, China's Volt Typhoon became the broadest, most active, most persistent cyber threat to U.S.

infrastructure that American intelligence officials have ever seen.

The scale of the Chinese cyber threat is unparalleled.

They've got a bigger hacking program than that of every other major nation combined, and they have stolen more of Americans' personal and corporate data than every nation, big or small, combined.

To fully understand just what it was like to reckon with the scale and severity of this problem, you have to go beyond the news clips.

You have to go beyond the public statements.

It's time I bring in someone from inside the classified tent.

Someone who's been tracking the Chinese cyber threat more than anyone.

Meet Andrew Scott.

My name is Andrew Scott.

I'm the Associate Director for China Operations here at the Cybersecurity and Infrastructure Security Agency.

It's a relatively new role that we created in mid-2023 to bring together a coordinated approach to CISO's efforts to defend critical infrastructure from POC cyber threats.

Frankly, it's a miracle we're hearing from Andrew et al.

Because over that same decade I was stumbling around in the dark, trying to shine a spotlight on these breaches, Andrew was also tracing these assaults.

Only he was doing it from classified skips with the benefit of a giant intelligence apparatus at his back.

And man, what I wouldn't have given to speak to him over that decade I was at the Times.

If you happen to be watching C-SPAN during any major congressional testimony on Chinese cyber espionage, you may have glimpsed Andrew in the audience, sitting just beyond the agency heads.

He tracked Chinese cyber threats at the CIA, at the National Security Council, and most recently at CISA, the cyber defense agency.

And here I should disclose that as this threat began metastasizing in 2021, I left the New York Times.

After writing about this threat for more than a decade, I could see pretty clearly where things were headed, and it wasn't good.

I reckoned I could keep writing about these cyber attacks, or I could do something about it.

So in 2021, I put down my pen and picked up a shovel.

I joined CISA's advisory committee and I served there through its disbanding in January 2025.

And that is how I came to know Andrew.

Tell us how long you have been working on the threat of cyber espionage, cyber campaigns from the People's Republic of China.

So it's been

about almost 15 years in total.

So before CISA, I spent nearly 15 years in the intelligence community working on foreign cyber threat issues to include East Asia, China, North Korea, and others.

Intermixed with that, spent about four and a half years working on the National Security Council, both in the Obama and Biden administrations, where I worked on everything from the APT-1 report and responses to that in the 2012-2013 timeframe.

to the hafnium attributions in 2021.

Being involved in the U.S.-China cyber commitment negotiations and a whole range of things.

So I've worked at pretty much every aspect of this issue from Intel to national policy to Homeland Security now.

I should note here that Andrew left CISA after I interviewed him for this episode.

What he describes here is what he witnessed while he was there.

Through multiple incident response efforts that we've had, we've verified that the PRCs compromise various pieces of critical infrastructure.

And What we're seeing is that these actors are persistent and patient against their targets, that they are compromising the same entity multiple times over a number of years.

We are seeing them gain access into an environment, steal credentials, lay dormant on the network because all they're looking to do is maintain that access, come back a period of time later, test their credentials, see if they work.

If they don't, steal credentials again, maintain access in the environment.

It is an act of maintaining access, testing that access, and validating that access, which is exactly what you would do if you were looking to just maintain access and pre-position on a network.

Pre-position on a network.

That means get in and stay in.

Jim Lewis puts it more succinctly.

My usual line is you don't hack infrastructure for fun.

Right?

It's reconnaissance.

It's target reconnaissance for the event of a conflict between the United United States and China.

A sinking realization started to creep in.

China was and is

making strategic inroads into America's most critical infrastructure.

They're not just sightseeing, they're strategically positioning themselves.

And big picture, what Andrew and his colleagues were seeing with each new living off the land attack, with the access Chinese hackers were gaining to U.S.

power and water supplies, our ports, our supply chains, our gas pipelines, our railways, aviation.

All of it makes for a big red button.

One CCP leadership can push in the event of a conflict.

And so I'm curious what it was like inside government when you all made this realization that, oh, this is not just IP theft anymore.

What did it take for the intelligence community to make that determination that, wait a minute, this looks like it could be the beginnings of something far more aggressive?

Was it the victims?

So I'd answer that in a couple different ways.

The first is to say it was

an eye-opening experience when we sort of came collectively to that realization of a shift in the kinds of targets that we were seeing.

And over the course of a number of years, sort of my colleagues elsewhere in government and the IC here at CISA, in DOD, our international partners, all sort of really focused on this question of,

as we looked at a bunch of different factors, right, outside of the cyber domain, Xi Jinping coming in and stating that reunification is a goal with Taiwan.

William Lai from Taiwan's ruling party wins the presidential election and vows to defend the island from China's intimidation.

But China said reunification with Taiwan is still inevitable.

A sort of shift and reorganization of the People's Liberation Army in 2015

around blunting and deterring U.S.

intervention in a conflict in the Indo-Pacific.

A Chinese defense official has said that the United States is trying to build an Asia-Pacific version of NATO to maintain its hegemony in the region.

The remarks were made at the Shangri-La dialogue in Singapore.

Lieutenant General Jiang Xiangfeng warned that if regional countries were to sign up for the U.S.

Indo-Pacific strategy, they would be lured into taking bullets for the United States.

And then you bring together this piece of what do we see being targeted.

And one of the realizations was exactly what you highlighted, which some of the things that we saw being targeted were entities that even if you stretch the boundaries of your imagination to say could they be an espionage target they very clearly weren't and one thing that i really wanted to emphasize here is i've even gotten questions recently of what's fundamentally different now

and the answer really is

We've now confirmed, though, there

the PRC is inside the house.

The PRC was inside the house.

Not just a fear, a fact.

U.S.

officials watched as Chinese hackers crept through dozens, then hundreds of critical systems across the country.

Smaller utilities in Littleton, Massachusetts, major infrastructure hubs, power, water, transportation.

This wasn't spycraft as usual.

This was sabotage and slow motion, a silent crawl through the machinery that keeps America running.

They weren't gathering secrets, they were laying tripwires.

And that was enough to drag U.S.

officials out of the shadows and into the open.

There has been far too little public focus on the fact that PRC hackers are targeting our critical infrastructure, our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems, and the risk that poses to every American requires our attention now.

China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities if and when China decides the time has come to strike.

They're not focused just on political and military targets.

We can see from where they position themselves across civilian infrastructure that low blows aren't just a possibility in the event of a conflict.

Low blows against civilians are part of China's plan.

That was former FBI Director Chris Wranu of 2024.

He, along with Jenny Sterley and General Paul Nakassoni, the now former director of NSA and U.S.

Cyber Command, testified before the House Select Committee on China.

We and our partners identified hundreds of routers that had been taken over by the PRC state-sponsored hacking group known as Volk Typhoon.

The Volk Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors, steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.

And let's be clear, cyber threats to our critical infrastructure represent real-world threats to our physical safety.

PRC cyber actors are pre-positioning in our U.S.

critical infrastructure, and it is not acceptable.

Defending against this activity is our top priority.

This is a world where a major crisis halfway across the planet could well endanger the lives of Americans here at home.

Three top officials speaking plainly before Congress.

That should give you a sense of the severity of the situation.

That's about as stark a warning as you ever get from the intelligence community in public.

What has us particularly concerned us is across government is the breadth of the pre-positioning that we see.

We see it in the transportation sector.

We see it in the water sector.

We see it in the communications sector.

We see it in the energy sector.

The worst day is an everything, everywhere, all-at-once scenario, that all of a sudden we see disruption in multiple sectors simultaneously with services to the American public going out.

Most Americans can't even fathom the everything, everywhere, all at once cyber attack.

We've only caught one-off glimpses, like flashes in the dark.

But the full scope, the full capability, we haven't seen it.

Not yet.

Nobody really knows if the gloves came off in cyberspace between China and the U.S., what would really happen.

Like, is it pandemonium?

I've had the privilege of lecturing on modern warfare, and even I'm not so sure of the collateral damage, but I do know that a lot of things would get less predictable and it would be eerie.

Like if the gloves came off in cyberspace,

the impact of it, you know, some companies can make phone calls, some can't.

Some companies, the gate rises when you go to park and sometimes you can't.

Services might shut down.

We don't really know the impact just yet and how widespread it would be because we don't understand all the complex dependencies.

So it's really hard to even know what to fear.

What I'm hopeful about is the gloves just don't come off.

I don't think they do until they come off kinetically.

I really don't think people are just going to unleash everything they've got in cyber.

I don't think we've seen China's total A game.

All we know for certain is they've prepared the battlefield, but have we?

That's next on To Catch a Thief.

Follow To Catch a Thief to make sure you don't miss the next episode.

And if you like what you hear, rate and review the show.

To Catch a Thief is produced by Rubrik in partnership with Pod People, with special thanks to Julia Lee.

It was written and produced by me, Nicole Perleroth, and Rebecca Shasson.

Additional thanks to Hannah Pedderson, Sam Gabauer, and Amy Machado.

Editing and sound design by Morgan Foos and Carter Wogan.