Written by staff writer.
The Australian Cyber Security Centre has released a joint advisory with international partners on a recently discovered cluster of activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon.
The advisory provides an overview of hunting guidance and best practices to detect the cyber actor’s activity. Networks across U.S. critical infrastructure sectors are currently affected, and it is believed that the actor could apply the same techniques against other sectors worldwide.
One of the primary tactics, techniques, and procedures (TTPs) used by the cyber actor is living off the land, which uses built-in network administration tools. This allows the actor to evade detection by blending in with normal Windows system and network activities. They can avoid endpoint detection and response (EDR) products that would provide an alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.
Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
The international advisory has been issued from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.
One of the actor’s primary TTPs is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators included can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.