New DHS threat assessment report sounds alarm on cyber attacks, as AI-driven malware poses threat to critical infrastructure

The U.S. Department of Homeland Security (DHS) published Friday the 2024 Homeland Threat Assessment report that outlines that domestic and foreign adversaries will likely continue to target U.S. critical infrastructure, including the transportation sector, over the next year. It added that DVEs (domestic violent extremists) increasingly called for physical attacks on critical infrastructure this year, while foreign adversaries are exploring new technologies like AI (artificial intelligence) to improve their tactics. 

The DHS Intelligence Enterprise Homeland Threat Assessment pulls together insights from across the department, the intelligence community, and other critical homeland security stakeholders. It focuses on direct, pressing threats to our Homeland during the next year and is organized into four sections. This assessment is organized around the Department’s missions that most closely align or apply to these threats—public safety, border and immigration, critical infrastructure, and economic security. As such, many of the threat actors and their efforts cut across mission areas and interact in complex and, at times, reinforcing ways.

The 2024 Homeland Threat Assessment report highlights heightened concerns about domestic small group attacks, espionage, and efforts by foreign adversaries to spread misinformation and target U.S. critical infrastructure. The report identified that from attacks aimed at disrupting services to espionage focused on gaining access to networks and stealing sensitive information, these actors are constantly adapting their techniques to gain access to and potentially compromise these entities. 

“While cyber attacks seeking to compromise networks or disrupt services for geopolitical or financial purposes continue apace, we noted an uptick over the last year of physical attacks on critical infrastructure,” the DHS report revealed. “We expect the 2024 election cycle will be a key event for possible violence and foreign influence targeting our election infrastructure, processes, and personnel.” 

Additionally, the DHS Threat Assessment report noted that the “proliferation of accessible artificial intelligence (AI) tools likely will bolster our adversaries’ tactics. Nation-states seeking to undermine trust in our government institutions, social cohesion, and democratic processes are using AI to create more believable mis-, dis-, and malinformation campaigns, while cyber actors use AI to develop new tools and accesses that allow them to compromise more victims and enable larger-scale, faster, efficient, and more evasive cyberattacks.”

The DHS Threat Assessment report expects that nation-state adversaries will likely continue to spread mis-, dis-, and malinformation aimed at undermining trust in government institutions, social cohesion, and democratic processes. “The proliferation and accessibility of emergent cyber and AI tools probably will help these actors bolster their malign information campaigns by enabling the creation of low-cost, synthetic text-, image-, and audio-based content with higher quality. Russia, China, and Iran continue to develop the most sophisticated malign influence campaigns online,” it added. 

“Generative AI enables the rapid creation of an endless supply of higher quality, more idiomatically correct text, providing influence actors the ability to expand their messaging and give it a greater aura of credibility,” according to the report. “Already, hundreds of websites have used a publicly available, large-language, model-based chatbot to generate content, some of which was false or misleading.” 

For example, in April, a Chinese government-controlled news site using a generative AI platform pushed a previously circulated false claim that the United States was running a lab in Kazakhstan to create biological weapons for use against China. Recently, Russian influence actors have used new AI technology in select cases to augment their operations. For instance, in June, an RT (formerly Russia Today) social media account created and shared a deepfake AI-generated video disparaging the U.S. president and other Western leaders. 

The report added that Russia likely will continue to use traditional media, covert websites, social networks, online bots, trolls, and individuals to amplify pro‑ Kremlin narratives and conduct influence activities within the U.S. “Since its invasion of Ukraine, Russian messaging has focused on justifying its aggression, seeking to reduce US domestic support for Kyiv, and encouraging divisions among the diverse set of global partners that are helping Ukraine.”

It also pointed out that China has used state and proxy media for overt messaging and coordinated, inauthentic social media campaigns to influence US audiences—activities we expect to continue. “Its influence actors likely will continue their efforts to refine and employ tactics and messaging to influenceUS discourse. Iran will likely also attempt to influence US audiences to promote its anti‑US agenda utilizing social media and inauthentic websites.”

State and non-state cyber actors continue to seek opportunistic access to critical infrastructure sector targets for disruptive and destructive attacks. Common tactics include denial-of-service, website defacement, and ransomware. Some of these hackers also seek to develop or improve existing capabilities that can disrupt industrial control systems that support U.S. energy, transportation, healthcare, and election sectors. 

The 2024 Homeland Threat Assessment report said that malicious cyber activity targeting the U.S. has increased since the beginning of the Russia‑Ukraine conflict, a trend that it expects to continue throughout the duration of the conflict. “Pro‑Russia cyber criminal groups, such as Killnet, collaborate to conduct distributed denial‑ of‑service (DDoS) attacks and other potentially disruptive attacks against US government systems and our transportation and healthcare sectors. Killnet claimed credit for a March 2022 DDoSattack against a US airport it believed was helping US efforts to aid Ukraine,” it added. 

“Malicious cyber actors have begun testing the capabilities of AI-developed malware and AI-assisted software development—technologies that have the potential to enable larger scale, faster, efficient, and more evasive cyber attacks—against targets, including pipelines, railways,and other US critical infrastructure,” the report added. “Adversarial governments, most notably the PRC, are developing other AI technologies that could undermine US cyber defenses, including generative AI programs that support malicious activity such as malware attacks.” 

The report additionally highlights the growing risks posed by the expanded deployment of smart city technologies, such as big data analytics, cloud computing infrastructure, and sensor-driven city management systems. These advancements present fresh avenues for both state and non-state cyber adversaries, enabling them to exploit vulnerabilities and potentially launch disruptive attacks on local government and critical infrastructure networks.

Apart from targeting U.S. critical infrastructure for destructive and disruptive attacks, adversaries continue to use cyber and physical espionage tactics to access and steal sensitive information from US critical infrastructure networks, the 2024 Homeland Threat Assessment report disclosed. “Such information enables pre-positioning for future attacks, gaining insight into our attack response capabilities, and exfiltrating sensitive data for criminal profit or follow‑ on intelligence activities. Techniques include the use of AI‑ generative software programs to enhance social engineering tactics, which trick targeted individuals into disclosing sensitive information or clicking on malicious web links, for intelligence collection,” it added.

It detailed that the Russian government‑ affiliated cyber espionage likely will remain a persistent threat to federal,state, and local governments, as well as entities in the defense, energy, nuclear, aviation, transportation, healthcare, education, media, and telecommunications industries. 

“Chinese government cyber actors likely will continue to target key critical infrastructure sectors in the United States, including healthcare and public health, financial services, the defense industrial base, government facilities, and communications,” according to the 2024 Homeland Threat Assessment report. “Beijing’s expansion of maritime logistics capabilities and the use of commercial Chinese logistics technologies increase the risk of espionage and potential disruption operations at ports.” 

It added that the Iranian government cyber actors continue to employ social engineering tactics, utilize easily accessible scanning and computer hacking tools, and exploit publicly known software and hardware vulnerabilities to conduct cyber espionage against U.S. critical infrastructure entities.

The report also revealed that apart from disrupting the activities of targeted victims and their critical infrastructure sectors, financially motivated criminal cyber actors will likely impose significant financial costs on the USeconomy in the coming year. “Ransomware groups that target US networks, infrastructure, and proprietary information are developing new methods to improve their ability to financially extort victims. These groups have increased their use of multilevel extortion, in which they encrypt and exfiltrate their targets’ data and typically threaten to publicly release stolen data, use DDoS attacks, or harass the victim’s customers to coerce the victim to pay,” it added.

Last week, three U.S. security agencies jointly published a cybersecurity information sheet (CSI) that provides an overview of synthetic media threats, techniques, and trends. It identifies that such threats, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.