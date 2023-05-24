The National Security Agency (NSA) and its partners have identified Indicators of Compromise (IOC) associated with a state-sponsored cyber actor in the People’s Republic of China (PRC) using off-earth life techniques to target networks across US critical infrastructure.

“Cyber ​​actors find it easier and more efficient to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor lives off the land, uses built-in networking tools to evade our defenses, and leaves no trace behind,” said Rob Joyce, director of cybersecurity at the NSA. “It requires us to work together to find and remove the actor from our critical networks.”

To help network defenders hunt and detect this type of malicious PRC actor activity on their systems, the NSA is directing US agencies and Five Eyes partners in publicly releasing the “People’s Republic of China’s state-sponsored cyber actor living off the ground to evade detection” Cybersecurity Advisory (CSA) Today. Partner agencies include:

• US Cybersecurity and Infrastructure Security Agency (CISA)

• US Federal Bureau of Investigation (FBI)

• Australian Cyber ​​Security Center (ACSC)

• Canadian Center for Cyber ​​Security (CCCS)

• National Cyber ​​Security Center of New Zealand (NCSC-NZ)

• National Cyber ​​Security Center UK (NCSC-UK)

“For years, China has conducted operations around the world to steal intellectual property and sensitive data from critical infrastructure organizations around the world,” said jen easter, director of CISA. “Today’s advisory, released in conjunction with our U.S. and international partners, reflects how China is using highly sophisticated means to target our nation’s critical infrastructure. This joint advisory will give network defenders more information on how to detect and mitigate this malicious activity. At the same time, we must recognize the agility and capability of PRC cyber actors, and continue to focus on strong cybersecurity practices such as network segmentation and continued investments in promoting resilience of critical functions in all conditions. As our country’s cyber defense agency, CISA stands ready to assist any affected organization and we encourage all organizations to visit our webpage for advice and resources to make their networks more resilient.

“The FBI continues to warn against China engaging in malicious activity to target critical infrastructure organizations and using identified techniques to mask their detection,” said Bryan Vorndrandeputy director of the cyber division of the FBI. “We, along with our federal and international partners, will not allow the PRC to continue to use these unacceptable tactics. The FBI strives to share information with our private sector partners and the public to ensure that they can better protect themselves against this targeted malicious activity.

“It is vital that operators of critical national infrastructure take steps to prevent attackers from lurking on their systems, as described in this joint advisory with our international partners,” said Paul ChichesterNCSC Director of Operations. “We strongly encourage UK essential service providers to follow our advice to help detect this malicious activity and prevent persistent compromises.”

“The Canadian Center for Cyber ​​Security joins its international partners in sharing this newly identified threat and accompanying mitigation measures with critical infrastructure sectors,” said Sami Khouri, head of the Canadian Center for Cyber ​​Security. “The interconnected nature of our infrastructures and economies underscores the importance of working with our allies to identify and share threat information in real time.”

The CSA provides an overview of hunting tips and associated best practices. It includes examples of actor commands and detection signatures. The authoring agencies also include a summary of Indicators of Compromise (IOC) values, such as unique command-line strings, hashes, file paths, exploitation of CVE-2021-40539 and CVE-2021- 27860 and file names commonly used by this actor.

As one of their primary tactics, techniques, and procedures (TTPs) for living off the land, the PRC actor uses tools already installed or integrated into a target’s system. This allows the actor to evade detection by blending in with Windows systems and normal network activity, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity captured in default logging configurations.

The NSA recommends that network defenders apply detection and research guidance in the CSA, such as logging and monitoring command line execution and WMI events, and ensuring integrity log using a hardened centralized logging server, preferably on a segmented network.

Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared.

Behavioral indicators noted in the CSA may also be legitimate system administration commands that appear in benign activity. Defenders should evaluate matches to determine significance, applying their knowledge of the system and basic behavior.

Read the full report here.

