ODNI report assesses potential cyber threats from China, Russia, Iran, North Korea that challenge US defenses

The Office of the Director of National Intelligence (ODNI) said in its latest annual report released Wednesday that foreign intelligence services are adopting cutting-edge technologies, ranging from advanced cyber tools to unmanned systems to enhanced technical surveillance equipment, which improves their capabilities and challenges U.S. defenses. Much of this technology is available commercially, providing a shortcut for previously unsophisticated services to become legitimate threats.

“China will persist with efforts to acquire foreign science and technology information and expertise, making extensive use of foreign scientific collaborations and partnerships, investments and acquisitions, talent recruitment, economic espionage, and cyber theft to acquire and transfer technologies and technical knowledge,” the ODNI said in its latest report, titled ‘2023 Annual Threat Assessment of the U.S. Intelligence Community.’ It also outlined that North Korea increasingly will engage in illicit activities, including cyber theft and exporting UN-proscribed commodities, to fund regime priorities, such as the WMD (weapons of mass destruction) program.

The 2023 Annual Threat Assessment highlights some of those connections as it provides the intelligence community (IC)’s baseline assessments of the ‘most pressing’ threats to U.S. national interests. It is not an exhaustive assessment of all global challenges. The assessment addresses both the threats from U.S. adversaries and functional and transnational concerns, such as WMD and cyber, primarily in the sections regarding threat hackers, and an array of regional issues with larger, global implications

China probably currently represents the ‘broadest, most active, and persistent cyber espionage threat’ to the U.S. government and private-sector networks, the ODNI report said. Furthermore, China’s cyber pursuits and its industry’s export of related technologies increase the threats of aggressive cyber operations against the U.S. homeland, suppression of the free flow of information in cyberspace, such as U.S. web content, that Beijing views as threatening to China’s Communist Party (CCP) hold on power, and the expansion of technology-driven authoritarianism globally.

The ODNI outlined that if Beijing feared that a major conflict with the U.S. was imminent, it almost certainly would consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide. “Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces. China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems,” it added.

China leads the world in applying surveillance and censorship to monitor its population and repress dissent, the report said. Beijing conducts cyber intrusions that are targeted to affect U.S. and non-U.S. citizens beyond its borders, including journalists, dissidents, and individuals it views as threats, to counter views it considers critical of CCP narratives, policies, and actions. “China’s cyberespionage operations have included compromising telecommunications firms, providers of managed services and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations,” it added.

The ODNI report determined that the Ukraine war was the key factor in Russia’s cyber operations prioritization in 2022. “Although its cyber activity surrounding the war fell short of the pace and impact we had expected, Russia will remain a top cyber threat as it refines and employs its espionage, influence, and attack capabilities. Russia views cyber disruptions as a foreign policy lever to shape other countries’ decisions.” 

It added that Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the U.S., as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.

The report also added that Russia continues to train its military space elements, and field new anti-satellite weapons to disrupt and degrade U.S. and allied space capabilities. “It is developing, testing, and fielding an array of nondestructive and destructive counterspace weapons, including jamming and cyberspace capabilities, directed energy weapons, on-orbit capabilities, and ground-based ASAT capabilities, to try to target U.S. and allied satellites. Similar to the space sector, resource and technology challenges could have an impact on the quality and quantity of Russia’s future counterspace capabilities,” it assessed.

Russia is investing in electronic warfare and directed energy weapons to counter Western on-orbit assets. These systems work by disrupting or disabling adversary C4ISR capabilities and by disrupting GPS, tactical and satellite communications, and radars. Russia also continues to develop ground-based ASAT missiles capable of destroying space targets in low Earth orbit

The ODNI report also analyzed Iran’s growing expertise and willingness to conduct aggressive cyber operations, making it a major threat to the security of U.S. and allied networks and data. “Iran’s opportunistic approach to cyber attacks makes critical infrastructure owners in the United States susceptible to being targeted by Tehran, particularly when Tehran believes that it must demonstrate it can push back against the United States in other domains. Recent attacks against Israeli targets show that Iran is more willing than before to target countries with stronger capabilities,” the report added.

North Korea’s cyber program poses a sophisticated and agile espionage, cybercrime, and attack threat, ODNI reported. “Pyongyang’s cyber forces have matured and are fully capable of achieving a range of strategic objectives against diverse targets, including a wider target set in the United States. Pyongyang probably possesses the expertise to cause temporary, limited disruptions of some critical infrastructure networks and disrupt business networks in the United States.”

The report identified that North Korea’s cyber program continues to adapt to global trends in cybercrime by conducting cryptocurrency heists, diversifying its range of financially motivated cyber operations, and continuing to leverage advanced social engineering techniques. In one heist in 2022, Pyongyang stole a record $625 million from a Singapore-based blockchain technology firm. 

It also revealed that beyond Pyongyang’s cybercrime efforts, cyber hackers linked to North Korea have conducted espionage efforts against a range of organizations, including media, academia, defense companies, and governments in multiple countries. North Korea continues to conduct cyber espionage to obtain technical information almost certainly intended to advance Pyongyang’s military and WMD programs, the ODNI report added.

The ODNI report also said that several countries, universities, and private companies have or are creating centralized genetic or genomic databases to collect, store, process, and analyze genetic data, albeit at the risk of potentially compromising health and genetic data privacy, and are ripe targets for cyber attack and theft. 

It added that China has been collecting genetic and health data from its entire population, bolstering the state’s surveillance and security apparatus, and its ability to try to monitor, manage, and control society in real-time. Beijing also has collected U.S. health and genomic data through its acquisitions and investments in U.S. companies, as well as cyber breaches.

The ODNI report said that transnational organized ransomware actors continue to improve and execute high-impact ransomware attacks, extorting funds, disrupting critical services, and exposing sensitive data. “While important services and critical infrastructure such as health care, schools, and manufacturing continued to experience attacks—with a large portion occurring in the United States—an increasing number of ransomware attacks observed in 2022 also targeted governments worldwide,” it added.

Major cybercrime groups have diversified ransomware business models, including new forms of extortion, such as threats to release captured data alongside encryption of data, and have improved the ability of their malware to affect a wider range of technical targets such as virtual machine hosts and network storage devices, the report said.

Ransomware groups sometimes cease operations in response to high-profile attention, law enforcement action, or disruption of infrastructure, although group members also find ways to later rebrand, reconstitute, or renew their activities following these disruptions. They also may question or curb attacks against target sets that prove most resilient in refusing to pay the demanded ransoms.

The ODNI report coincides with last week’s release of the ‘National Cybersecurity Strategy’ by the U.S. administration, which envisions an increased emphasis on protecting the nation’s critical infrastructures from cyber threats and incidents. The move serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.