ACSC releases joint advisory against China state-sponsored cyber actor

The Australian Cyber Security Centre (ACSC) has released a joint advisory to highlight a recently discovered cluster of activity “associated with a People’s Republic of China (PRC) state-sponsored cyber actor”, also known as Volt Typhoon.

The People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection joint advisory, released by the ACSC together with international partners, aims to provide an overview of best practices, focusing on detecting the cyber actor’s activity. It also offers examples of the cyber actor’s commands, along with detection signatures, to aid network defenders in hunting for this activity.

The ACSC said it believed that the actor could apply the same techniques, which had been used to target US critical infrastructure networks and had been discovered by private sector partners, against any sector anywhere in the world. This may have included ‘living off the land’ attacks, which exploits native and legitimate tools within the victim’s system to execute an attack.

These tools can evade detection by blending in with normal Windows system and network activities, ACSC said.

They can also avoid endpoint detection and response (EDR) products that would typically provide an alert on the introduction of third-party applications to a host and limit the amount of activity that is captured in default logging configurations.

“Many of the behavioural indicators included can also be legitimate system administration commands that appear in benign activity,” the ACSC said in its release.

It further warned that “[care] should be taken not to assume that findings are malicious without further investigation or other indications of compromise”.

The international partners include the United States National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK).

The joint advisory will work not only to help net defenders detect this activity on their systems, but also to provide several network and host artefacts associated with this activity following a network compromise, with a focus on command lines used by the cyber actor.

“Especially for living off the land techniques, it is possible that some command lines might appear on a system as the result of benign activity and would be false positive indicators of malicious activity,” the ACSC said in the summary of the joint advisory.

“Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behaviour.”

“Additionally, if creating detection logic based on these commands, network defenders should account for variability in command string arguments, as items such as ports used may differ across environments.”