Synopsis

1. The Trump administration fired the head of the NSA and U.S. Cyber Command, then launched an investigation into its former CISA Director. Current CISA staff are being “gutted.” The U.S. Government’s cybersecurity agency (CISA) considered ending a critical cybersecurity program. Apparently, the PRC admitted that “Volt Typhoon” was their campaign. The PRC continues to launch aggressive cyber espionage campaigns.

2. It is our assessment that the three major cyber conflicts—Russia vs. Ukraine, Iran vs. Israel, and the People’s Republic of China—are the most likely sources for the creation of next-generation malware and/or a primary source of cyberattacks. This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer “supporters.”

U.S. Government vs. Cybersecurity

3. Trump’s ‘Revenge Tour’ Guts U.S. Cybersecurity

• Head of NSA and U.S. Cyber Command Fired
  “On April 3, President Trump fired Gen. Timothy Haugh, the head of the National Security Agency (NSA) and the U.S. Cyber Command, as well as Haugh’s deputy, Wendy Noble.” Apparently, the issue was “Haugh’s loyalty.”

• Former Trump Cyber Agency Director Under Investigation
  The U.S. Attorney General has been directed “to investigate Chris Krebs, calling him ‘a significant bad-faith actor who weaponized and abused his government authority.’ … The inquiry will include ‘a comprehensive evaluation of all of CISA’s activities over the last 6 years and will identify any instances where Krebs’ or CISA’s conduct appears to be contrary to the administration’s commitment to free speech and ending federal censorship, including whether Krebs’ conduct was contrary to suitability standards for federal employees or involved the unauthorized dissemination of classified information’.”
  Krebs’ “sin” was “declaring the 2020 election the most secure in U.S. history.” In response, Chris Krebs has left his position with SentinelOne, a major cybersecurity firm. “He told company CEO Tomer Weingarten ‘what I firmly believe: this is my fight, not the company’s, and I offered my resignation. … For those who know me, you know I don’t shy away from tough fights.’ … Illegitimi non carborundum.”

• CISA Staff Gutted
  It is forecast that forty percent of the U.S. Government’s Cybersecurity and Infrastructure Security Agency (CISA)—1,300 employees—will be downsized as part of the effort to reduce federal staff. By 14th April, employees must decide “if they will take Secretary Kristi Noem’s offer and choose deferred resignation, early retirement, or an immediate buyout.” No justification for the drastic reorganization has been offered.
  “Retired U.S. Navy Rear Admiral Mark Montgomery told The Register in an earlier interview the firings and funding cuts ‘harm national security on a daily basis’.”

4. Brinkmanship with Global Cybersecurity Database
   On Tuesday, 15th April, a letter was released stating that “the current contract … for MITRE to develop, operate, and modernize CVE and several other related programs … will expire.”
   The Common Vulnerabilities and Exposures (CVE) program, operated by the non-profit MITRE Institute under contract with the U.S. Government, is a cornerstone of global cybersecurity. The 25-year-old CVE program is a vital tool for vulnerability management, offering a de facto standard to identify, define, and catalog publicly disclosed security flaws using CVE IDs. The program has listed over 274,000 CVE records to date.
   Late on the 15th, an option clause in the MITRE contract was exercised, extending the contract for eleven months “to ensure no continuity issues.”
   “The CVE Program is invaluable to the cyber community and a priority of CISA,” the U.S. cybersecurity agency told BleepingComputer. “Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services.”

5. Warnings from the Cybersecurity Industry
   MITRE Vice President Yosry Barsoum warned: “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
   John Hammond, a cybersecurity analyst with Huntress Labs, explained the risk of losing the CVE database in a viral YouTube video. The title put it bluntly: “Cybersecurity Just Got F**ed.”*

Analysts’ Comments

A. Finding another leader as qualified as General Haugh is unlikely. Any change of command brings a certain amount of turmoil. This will almost certainly impact the NSA and U.S. Cyber Command.

B. Given that the MITRE CVE contract extension was not announced by the White House or any Cabinet-level official, we are not confident the eleven-month extension will be honored. Even if the CVE database is preserved, we anticipate a degradation of the program.

C. CISA cannot afford to lose 40% of its staff. This will result in another degradation of U.S. cyber defensive capabilities.

D. The lack of response from the U.S. cybersecurity industry to the Trump administration’s cyber-related actions suggests companies are taking an “every man for himself” approach. At best, they are quietly coordinating behind the scenes to avoid scrutiny.

E. The cumulative effect of the Trump administration’s actions will further degrade U.S. defensive cybersecurity. There is no indication that anyone in Trump’s circle understands the implications of a major cyberattack. This makes the current period ideal for adversarial cyber activity.

People’s Republic of China (PRC)

7. PRC Admits Responsibility for ‘Volt Typhoon’
   At a December 2024 meeting between PRC officials and the Biden administration, Chinese representatives admitted to directing cyberattacks on U.S. infrastructure. The Chinese delegation reportedly implied that these attacks were linked to U.S. support for Taiwan. A former U.S. official described the remarks as “indirect and somewhat ambiguous,” but interpreted them as both a tacit admission and a warning to the U.S. regarding Taiwan.

8. Volt Typhoon Campaign Targeted Critical Infrastructure
   Volt Typhoon actors gained access to systems across multiple sectors, including communications, manufacturing, utilities, construction, government, IT, maritime, transportation, and energy. It was recently revealed that the hackers remained in the U.S. electric grid for 300 days in 2023.

9. Global Scale of Volt Typhoon Operations
   Reporting has overlooked the fact that Volt Typhoon is a global campaign targeting communications, energy, transportation, water, and wastewater systems. Detections have occurred in Europe and Asia as well as the Americas.
   Starting in 2021, Volt Typhoon operated a botnet using compromised Cisco and Netgear routers and command-and-control infrastructure in the Netherlands, Latvia, and Germany.
   “By October 2023, Volt Typhoon had taken up occupancy, rent-free, on a compromised VPN device in New Caledonia. This created ‘a covert bridge between Asia-Pacific and the Americas’ that kept ‘their network alive, hidden from standard detection’.”

10. Strategic Implications of the PRC Admission
    It is unprecedented for the PRC to admit involvement in cyber espionage. We believe this admission should be interpreted as a warning: “We have access to your critical infrastructure—stay out of our way.” This aligns with the PRC’s growing frustration with nations that support Taiwan.

11. Ongoing PRC Cyber Espionage Campaigns
    The PRC appears to be accelerating its cyber espionage activities. Recent developments include:

• Ivanti VPN Exploits
  Cybersecurity firm TeamT5 reports that a Chinese APT group exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances, impacting nearly 20 industries in 12 countries.

• New Remote Access Trojan (RAT)
  A PRC-linked group dubbed UNC5174 has deployed a RAT to enable espionage and resale of access. The group is believed to be affiliated with China’s Ministry of State Security.

• ‘Mustang Panda’ Updates Toolset
  Known for targeting governments and NGOs in East Asia and Europe, Mustang Panda recently deployed a new version of its ToneShell backdoor, along with new tools including StarProxy, the Paklog and Corklog keyloggers, and the SplatCloak EDR evasion driver.