The Cybersecurity and Infrastructure Security Agency (CISA), and other domestic and international agencies published a joint Cybersecurity Advisory (CSA), “People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,” to highlight a People’s Republic of China (PRC) state-sponsored actor, also known as Volt Typhoon, that is working to compromise networks and conduct malicious activity.
This report provides the cybersecurity community and critical infrastructure organizations with new insights into the specific tactics, techniques, and procedures used by PRC cyber actors to gain and maintain persistent access into critical infrastructure networks.
It highlights how PRC cyber actors use techniques called "living off the land," which enables these actors to avoid detection by using legitimate network administration tools. This tactic enables the actor to blend in with normal system and network activities, avoid identification by many endpoint detection and response (EDR) products, and limit the amount of activity that is capture in common logging configurations.
Some of the tools used by these cyber actors to maintain anonymity within IT infrastructures are PowerShell, Windows Management Instrumentation (WMI), and Mimikatz.
The CSA provides technical information that can be used by network defenders to hunt for this activity on their network, including a summary of relevant indicators of compromise (IOC) for quick reference.
Recommended mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) and can help organizations prioritize their investments to most effectively mitigate this activity, such as:
CISA and our partners will continue to provide targeted guidance and capabilities to help organizations address the risk of persistent access by adversaries using living off the land techniques, including through our Remote Monitoring and Management planning effort currently being undertaken by the Joint Cyber Defense Collaborative (JCDC).
All organizations are strongly urged to review this advisory and take necessary actions to detect if this activity is on their network, apply mitigations to improve cybersecurity posture, and strengthen resilience to reduce impact of adversarial activity. With our partners, we will continue to help organizations address the risk of persistent access by adversaries using living off the land techniques.
Additionally, CISA has created a page dedicated to the cyber threat posed by the PRC which provides an excellent overview of the threat and co-locates all of the PRC related advisories published by the USG. www.cisa.gov/china.Additionally Microsoft released this week a blog post on Volt Typhoon and the “living off the land” techniques they discovered has targeted critical infrastructure organizations in Guam and elsewhere in the United States.