International agencies unite to address growing cybersecurity concerns
In a groundbreaking collaboration, cybersecurity authorities from the United States and around the world have issued a joint advisory to raise awareness of a significant cybersecurity threat posed by a state-sponsored cyber actor known as Volt Typhoon. This collective effort involves the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), along with agencies from Australia, Canada, New Zealand, and the United Kingdom.
The advisory, titled “Unmasking Volt Typhoon: A State-Sponsored Cyber Threat,” sheds light on the recent discovery of a cluster of activities associated with this People’s Republic of China (PRC) cyber actor. Networks across critical infrastructure sectors in the United States have been affected, and there are concerns that the same techniques could be deployed against other sectors globally.
Living off the land, a primary tactic employed by Volt Typhoon, enables the cyber actor to blend in with regular Windows system and network activities, making it difficult to detect their malicious actions. By utilizing built-in network administration tools such as wmic, ntdsutil, netsh, and PowerShell, Volt Typhoon evades detection by endpoint detection and response (EDR) products and limits the amount of activity captured in default logging configurations.
To assist network defenders in detecting and countering this threat, the joint advisory provides hunting guidance and best practices. It offers examples of the actor’s commands and detection signatures to aid in identifying the malicious activity. It is crucial, however, for defenders to exercise caution and conduct further investigation before classifying findings as malicious, as some indicators may also be part of benign system administration commands.
In addition to highlighting the tactics and techniques employed by Volt Typhoon, the advisory also emphasizes the importance of implementing mitigations to bolster cybersecurity defenses. These recommendations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST), providing organizations with a minimum set of practices and protections to adopt.
Some key mitigations advised by the authoring agencies include hardening domain controllers, monitoring event logs for suspicious process creations, limiting port proxy usage, investigating unusual IP addresses and ports, reviewing firewall configurations, detecting abnormal account activity, forwarding log files to a centralized logging server, and enabling appropriate logging options to capture essential information for detection.
To ensure the integrity and availability of logs, defenders are encouraged to forward log files to a hardened centralized logging server, preferably on a segmented network. This strategy makes it more challenging for threat actors to cover their tracks effectively. Furthermore, monitoring Event ID 1102, which indicates log clearing, and enabling network-level logging on edge devices are vital steps to identify potential exploitation and lateral movement.
The advisory concludes with an Indicators of Compromise (IOCs) summary, which provides insights into the threat actor’s tactics, such as exploiting vulnerabilities, utilizing webshells, leveraging compromised SOHO devices, employing living off the land tools, and executing commands for command execution. Defenders are reminded to account for variants in file names and directory paths when performing queries.
As the cybersecurity landscape continues to evolve, this joint international advisory serves as a testament to the global commitment to combating cyber threats. By sharing intelligence, insights, and best practices, countries can collectively enhance their defenses and protect critical infrastructure from the ever-present danger of state-sponsored cyber actors.
With the combined efforts of cybersecurity authorities worldwide, organizations and network defenders are better equipped to identify, mitigate, and respond to the persistent and evolving threat posed by Volt Typhoon.