An international consortium of cybersecurity agencies, led by the United States, has issued a collaborative Cybersecurity Advisory (CSA) about an emerging threat posed by a Chinese state-sponsored cyber actor known as Volt Typhoon. The advisory underlines that Volt Typhoon has been found to target critical infrastructure sectors in the U.S, with the potential for similar activities against global targets.
The CSA, a collective effort of the U.S. National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK), offers guidance and best practices to detect and counter these threats.
Volt Typhoon primarily uses a stealthy tactic known as “living off the land,” which involves utilizing native network administration tools to achieve its objectives. This strategy helps the actor to blend with usual Windows system and network activities, bypass endpoint detection and response (EDR) systems, and minimize trackable activities. Notably, the actor employs built-in tools like wmic, ntdsutil, netsh, and PowerShell. The advisory includes examples of the actor’s commands and detection signatures to aid in identifying this activity, while warning that some may mirror benign system commands, hence requiring careful analysis.
The CSA, recognizing the recent cyber activities of the Chinese state-sponsored actor, outlines potential indicators associated with these techniques. It provides numerous network and host artifacts, focusing on command lines utilized by the actor post-initial compromise. The advisory also includes a summary of Indicators of Compromise (IOCs).
However, given the nature of the living off the land techniques, it’s possible that some command lines could result from benign activity, leading to false positive indicators. Thus, network defenders must evaluate such instances considering their system knowledge and baseline behavior. Variability in command string arguments, such as differing port usage, should also be accounted for when creating detection logic.