2024-02-08
Chinese State-Sponsored Cyber Espionage Group Maintained Persistent Access in US Critical Infrastructure System
In a joint advisory, the US Cybersecurity and Infrastructure Security Agency (CISA)m the National Security Agency, (NSA), the FBI, and cybersecurity agencies in Canada, the UK, Australia, and New Zealand warn that state-sponsored threat actors from the People’s Republic of China maintained presence in a US critical infrastructure systems for five years before being detected. The group, known as Volt Typhoon, is known to use living-off-the-land techniques to maintain persistent access in targeted systems. The international group of agencies has also jointly issued a publication titles “Identifying and Mitigating Living Off the Land Techniques.”
Editor's Note
The attack "only" affected critical infrastructure systems. But at the same time, the techniques used will likely be used by other actors as well. Read the reports considering how you would prevent or detect these attacks against your systems.
Johannes Ullrich
I would give this a good read. This group is a bit more than opportunistic. It shows how they can leverage bugs in the VPN provider kit to get in and persist. I believe this group also targeted the same residential systems we all use. The fact that these threat actor groups are working this way is not by chance; the data is valuable to them.
Moses Frost
Make sure your team realizes that living-off-the-land techniques are not hypothetical or classroom exercises, that they are in fact actively used. The mitigations should be basic cyber hygiene: apply patches for Internet-facing systems and services, deploy phishing resistant MFA, ensure logging is turned on both for application and OS activities, and you're storing them in a central logging system. Make sure you're equipping your team with current tools to help automate these processes wherever possible.
Lee Neely
Read more in
CISA: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
CISA: Identifying and Mitigating Living Off the Land Techniques
Cyberscoop: Feds: Chinese hacking operations have been in critical infrastructure networks for five years
Bleeping Computer: Chinese hackers hid in US infrastructure network for 5 years