US and global cybersecurity agencies issue a joint advisory, shedding light on the activities of a state-sponsored cyber actor called “Volt Typhoon” originating from China.
The impact of Volt Typhoon’s actions on critical infrastructure networks in the United States has been acknowledged by private-sector collaborators. This advisory emphasizes that similar methodologies could be employed by the threat actors to target various sectors globally.
Security Agencies Involved
Several renowned cybersecurity agencies collaborated in issuing this joint advisory. They include:
- The United States National Security Agency (NSA)
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
- The U.S. Federal Bureau of Investigation (FBI)
- The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
- The Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS)
- The New Zealand National Cyber Security Centre (NCSC-NZ)
- The United Kingdom National Cyber Security Centre (NCSC-UK)
Modus Operandi
Leveraging the “Living off the Land” Technique One significant approach employed by Volt Typhoon involves the utilization of the “living off the land” technique.
This technique relies on existing network administration tools to achieve their objectives, enabling them to operate discreetly. By seamlessly integrating with standard Windows operations, they can bypass detection by EDR systems that would typically flag the presence of external applications. Furthermore, their activities in default logs are minimized, making it harder to track their actions.
Built-in Tools Leveraged by Volt Typhoon
The threat actors employ various built-in tools to carry out their malicious activities. Some of the tools identified are:
- wmic
- ntdsutil
- netsh
- PowerShell
Challenges for Defenders
Matching Baseline Behavior and Command Variability Defenders face the challenge of assessing matches between normal system behavior and the activities performed by Volt Typhoon.
It is crucial to determine the significance of these matches accurately. Additionally, defenders must consider the variability in command string arguments while developing detection strategies using the aforementioned tools. Factors like utilized ports may differ across different environments, necessitating adaptability in detection logic.
Mitigations Recommended by Authoring Agencies
The authoring agencies strongly advise organizations to implement the following measures promptly to enhance their security posture:
- Harden domain controllers, monitor event logs for suspicious process creations (e.g., ntdsutil.exe), and audit administrator privileges for command validation.
- Limit and enable port proxy usage as required within environments.
- Investigate command lines, registry entries, and firewall logs for unusual IP addresses and ports to identify potentially compromised hosts.
- Regularly review perimeter firewall configurations to detect unauthorized changes and external access to internal hosts.
- Monitor and detect abnormal account activity, such as off-hour logons and impossible time-and-distance logons.
- Implement a practice of forwarding log files to a hardened centralized logging server on a segmented network.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
