Background / What has happened?
In May 2023, the Australian Signals Directorate’s Australian Cyber Security Centre, in conjunction with the US NSA, the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ) and the United Kingdom National Cyber Security Centre (NCSC-UK), released the Cybersecurity Advisory “People’s Republic of China State-Sponsored Cyber Actor Living Off the Land to Evade Detection”.
This advisory highlights a recently-discovered cluster of activity affecting networks across US critical infrastructure sectors, and provides threat hunting advice and best practices for network defenders to detect related activity.
The advisory details the tactics, techniques and procedures (TTPs) employed by the threat actor, which primarily involve the use of built-in Windows tools on compromised hosts to achieve their objectives. This is known as “living off the land”, and allows the actor to evade detection by blending in with normal Windows system and network activity, and avoid triggering security alerts by installing new tools.
The authoring agencies assess there is significant risk these TTPs could be employed by the actor against CI and other sectors worldwide.
Mitigation / How do I stay secure?
Given the potential threat to CI sectors outside the US, the ASD's ACSC strongly encourages Australian organisations to review the advisory, reported TTPs and indicators of compromise (IOCs) and investigate their networks for signs of potential malicious activity. By design, “living off the land” is intended to resemble legitimate system and network activity, so any findings should not be assumed malicious without further investigation.
To maximise opportunities to detect malicious activity, the ASD's ACSC recommends Australian organisations review and optimise their logging configurations. Advice to support both the detection and investigation of malicious activity is available at Windows Event Logging and Forwarding.
For further information, please see:
- People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection advisory
- Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
Assistance / Where can I go for help?
In addition to reviewing the advisory, which contains an overview of actor TTPs, and detection and mitigation recommendations, the ASD's ACSC also recommends that all Australian critical infrastructure entities remain vigilant and continue to secure and monitor their networks for evidence of targeting or compromise.
The ASD's ACSC is monitoring the situation and is able to provide advice and assistance as required. If you find evidence of targeting or compromise, please report it to the ASD's ACSC via 1300 CYBER1 (1300 292 371), or https://cyber.gov.au/report-and-recover/report.