Today we released a joint advisory with international partners on a recently discovered cluster of activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor.
In partnership with the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK), this advisory provides an overview of hunting guidance and best practices to detect the cyber actor’s activity. Networks across U.S. critical infrastructure sectors are currently affected, and it is believed that the actor could apply the same techniques against other sectors worldwide.
One of the primary tactics, techniques, and procedures (TTPs) used by the cyber actor is living off the land, which uses built-in network administration tools. This allows the actor to evade detection by blending in with normal Windows system and network activities. They can avoid endpoint detection and response (EDR) products that would provide an alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.
The People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection joint advisory provides examples of the cyber actor’s commands, along with detection signatures to aid network defenders in hunting for this activity.