A joint Cybersecurity Advisory (CSA) has been issued by several international cybersecurity authorities, including the U.S. National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), and agencies from Australia, Canada, New Zealand, and the UK. The advisory warns of a recent surge in cyber activities traced back to a People's Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon. This actor has been found to infiltrate networks across U.S. critical infrastructure sectors, a tactic that could potentially be used against other sectors worldwide.
The advisory provides an overview of hunting guidance and best practices to detect these activities. Volt Typhoon utilises a tactic known as "living off the land," which involves using built-in network administration tools to blend in with typical system activities, thereby evading detection. Notably, the tools exploited by this actor include wmic, ntdsutil, netsh, and PowerShell.
Furthermore, the advisory sheds light on technical details, background information, and potential indicators associated with these techniques. Network and host artefacts, from compromised small office/home office (SOHO) network devices to the usage of Windows management instrumentation (WMI/WMIC), PowerShell, Netsh, and Ntdsutil, provide concrete examples of the strategies employed by Volt Typhoon.
In response to these cyber threats, the advisory recommends employing best practice network security and endpoint detection and response (EDR) products, a robust patch management program, a least privilege access model, and regular data backups protected from unauthorised access. It also encourages the use of strong, unique passwords and enabling multi-factor authentication wherever possible.
This advisory represents a critical step in ensuring international cooperation in cybersecurity and offering guidance to network defenders to detect and mitigate potential threats linked to state-sponsored cyber activities.
Sources: