Chinese Hackers Attack US Critical Infrastructure Using Network Administration Tools

The US and global cybersecurity agencies have issued a joint advisory to bring attention to the activities of “Volt Typhoon,” a state-sponsored cyber actor from China.

The impact of this activity on networks across critical infrastructure sectors in the United States has been acknowledged by private-sector collaborators.

However, it’s believed that to target both of these sectors and others on a global scale, similar methodologies could be used by the threat actors.

Security Agencies Involved

Here below we have mentioned all the cybersecurity agencies that are involved in this joint advisory:-

• The United States National Security Agency (NSA)
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• The U.S. Federal Bureau of Investigation (FBI)
• The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
• The Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS)
• The New Zealand National Cyber Security Centre (NCSC-NZ)
• The United Kingdom National Cyber Security Centre (NCSC-UK)

A significant modus operandi of the actor involves employing the “living off the land” technique, leveraging preexisting network administration tools to accomplish their objectives.

This technique enables the actor to remain undetected by seamlessly integrating with standard Windows operations, bypassing EDR systems that would flag the presence of external applications, and minimizing recorded activity in default logs.

Built-in Tools Used

Here below we have mentioned some of the built-in tools that this actor uses are:- 

• wmic
• ntdsutil
• netsh
• PowerShell

By leveraging their understanding of the system and baseline behavior, defenders are required to assess matches and ascertain their significance.

Moreover, the network defenders need to consider the variability in command string arguments when devising detection logic using these commands. 

While this includes accounting for differences in elements like utilized ports, which may vary across different environments.

Mitigations

While apart from this, the authoring agencies have strongly advised organizations to immediately incorporate the following measures in order to enhance their security:-

• Harden domain controllers, monitor event logs for suspicious process creations like ntdsutil.exe, and audit administrator privileges for command validation.
• Limit and enable port proxy usage as needed within environments.
• Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify potentially involved hosts.
• Make sure to review perimeter firewall configurations for unauthorized changes and external access to internal hosts.
• Detect abnormal account activity, like off-hour logons and impossible time-and-distance logons.
• Forward log files to a hardened centralized logging server on a segmented network.

Common Security Challenges Facing CISOs? – Download Free CISO’s Guide