Nicole Perlroth

They can't deflect attacks on those private systems or even hunt there unless they've got a court order or they're invited in. To a large degree, when it comes to these living off the land attacks, we're flying blind. Our second big gaping vulnerability is that the United States is among the most digitally dependent nations on earth.

They can't deflect attacks on those private systems or even hunt there unless they've got a court order or they're invited in. To a large degree, when it comes to these living off the land attacks, we're flying blind. Our second big gaping vulnerability is that the United States is among the most digitally dependent nations on earth.

We've been baking technology, code into everything with security as little more than an afterthought. We let software eat the world. And we did it with this, quote unquote, move fast and break things approach, as Mark Zuckerberg coined Facebook's motto in its early days.

We've been baking technology, code into everything with security as little more than an afterthought. We let software eat the world. And we did it with this, quote unquote, move fast and break things approach, as Mark Zuckerberg coined Facebook's motto in its early days.

The idea was just get the application, get the code, get the router to market, and we can worry about the bugs and security issues later. What this means, in effect, is that we've been plugging vulnerable software and hardware into our infrastructure with little, if any, security baked in by default.

The idea was just get the application, get the code, get the router to market, and we can worry about the bugs and security issues later. What this means, in effect, is that we've been plugging vulnerable software and hardware into our infrastructure with little, if any, security baked in by default.

And then we leave it to these businesses and critical infrastructure operators like Nick Lawler and Littleton to figure out the security piece on the backend. The people who designed routers never thought that one day they'd be the linchpin for advanced nation-state attacks.

And then we leave it to these businesses and critical infrastructure operators like Nick Lawler and Littleton to figure out the security piece on the backend. The people who designed routers never thought that one day they'd be the linchpin for advanced nation-state attacks.

And China has been using all of this to its advantage because by 2020, most Americans had grown somewhat wise to China's ways. If an IT operator picked up some unnerving traffic coming from a Chinese server, they knew to look into it. But Volt Typhoon, these Chinese infrastructure hackers, they weren't breaking in from Chinese servers anymore.

And China has been using all of this to its advantage because by 2020, most Americans had grown somewhat wise to China's ways. If an IT operator picked up some unnerving traffic coming from a Chinese server, they knew to look into it. But Volt Typhoon, these Chinese infrastructure hackers, they weren't breaking in from Chinese servers anymore.

They're coming in from routers inside the country, precisely where our intelligence agencies can't look. Remember way back in episode three, Keep Machine in Welding, when China's hackers broke in and used the Wisconsin welding shop server to hack major American businesses? Well, China's living off the land hackers are running the same playbook. Only now they're using Americans' home routers.

They're coming in from routers inside the country, precisely where our intelligence agencies can't look. Remember way back in episode three, Keep Machine in Welding, when China's hackers broke in and used the Wisconsin welding shop server to hack major American businesses? Well, China's living off the land hackers are running the same playbook. Only now they're using Americans' home routers.

Here's John Holquist, Mandiant's chief intelligence analyst.

Here's John Holquist, Mandiant's chief intelligence analyst.

That last bit, it's an understatement. Volt Typhoon made a habit out of targeting home routers that, as I was saying earlier, were sold without security baked in. To break into these routers, hackers only need to type in the default password, usually admin. And even if the user has bothered to change the password, these routers are riddled with vulnerabilities.

That last bit, it's an understatement. Volt Typhoon made a habit out of targeting home routers that, as I was saying earlier, were sold without security baked in. To break into these routers, hackers only need to type in the default password, usually admin. And even if the user has bothered to change the password, these routers are riddled with vulnerabilities.

And in too many cases, they've reached quote-unquote end of life, which basically means that even when we detect a vulnerability, there is no patch to install, no technical support. They're just sitting ducks. And by 2020, China's Volt typhoon hackers started capturing these home routers en masse and using them as a launchpad to infiltrate U.S. critical infrastructure.

And in too many cases, they've reached quote-unquote end of life, which basically means that even when we detect a vulnerability, there is no patch to install, no technical support. They're just sitting ducks. And by 2020, China's Volt typhoon hackers started capturing these home routers en masse and using them as a launchpad to infiltrate U.S. critical infrastructure.

Think of a botnet like the iconic Spider-Man villain, Doc Ock, that evil mastermind who wields his robotic, tentacle-like arms. Only in this case, his tentacles are hooked into hundreds, thousands of these vulnerable home routers, commanding them to infiltrate America's critical infrastructure. You lose.

Think of a botnet like the iconic Spider-Man villain, Doc Ock, that evil mastermind who wields his robotic, tentacle-like arms. Only in this case, his tentacles are hooked into hundreds, thousands of these vulnerable home routers, commanding them to infiltrate America's critical infrastructure. You lose.