CISA Alert AA23-144A – People's Republic of China state-sponsored cyber actor living off the land to evade detection.

This is a CISA Cybersecurity Alert.

ID number Alpha Alpha Two Three tack One Four Four Alpha.

Original release date May 24th, 2023.

Cybersecurity authorities are issuing this joint Cybersecurity Advisory to highlight a recent cluster of activity associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.

One of the actor’s primary TTPs is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. 

The advisory provides examples of the tools used by the actor and associated commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indicators can also be legitimate system administration commands that appear in benign activity. Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.

The authors encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of similar incidents. The alert documentation linked in the show notes includes additional technical details, IOCs, mitigations, and response recommendations.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by N2K Networks as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations.

A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.