VOLT TYPHOON – ‘Living of the Land’ – Tactics, Technics and Procedures
On the 23rd of May CISA, with a number of other Cyber Security agencies, issued a joint Cybersecurity advisory to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon.
According to available information, Volt Typhoon emerged in mid-2021 and has been involved in targeted activities against critical infrastructure organizations in Guam and various parts of the United States. The affected sectors include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.
Recently noticed activities affect the same sectors as previously and the leading cyber security agencies believe that the actor could apply the same techniques against these and other sectors in other countries around the globe.
The observed behaviour of Volt Typhoon indicates a focus on espionage, aiming to gather sensitive information while evading detection for an extended period. Their intent appears to be maintaining persistent access to the compromised systems and networks.
One of the actor’s primary tactics, techniques, and procedures (TTPs) is ‘living off-the-land’.
‘Living off-the-land’ refers to a set of tactics that malicious actors employ to carry out cyber attacks using legitimate tools and software already present on a compromised system, rather than relying on custom-built malware.
The goal of ‘living off-the-land’ techniques is to make it harder for security defenses to detect and block malicious activities. By utilizing trusted applications and existing system utilities, attackers can blend in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.
Some common examples of ‘living off-the-land’ techniques include:
1. PowerShell Abuse: PowerShell is a legitimate scripting framework present in Windows systems. Attackers may exploit PowerShell to execute malicious commands, download additional payloads, or carry out other malicious activities.
2. WMI (Windows Management Instrumentation) Abuse: WMI is a management framework in Windows that provides administrators with powerful capabilities. However, attackers can abuse WMI to execute commands, gather information, or even establish persistence on a compromised system.
3. Credential Dumping: Attackers may use tools like Mimikatz to extract credentials from compromised systems. These stolen credentials can then be used to move laterally within a network or gain unauthorized access to other systems.
4. Network shell abuse
Furthermore, Volt Typhoon employs techniques to camouflage its activities within regular network traffic. This involves routing their communication through compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware. By leveraging these compromised devices, they aim to avoid suspicion and blend in with legitimate network behaviour.
To enhance their covert operations, Volt Typhoon has been observed utilizing modified versions of open-source tools. These customized tools enable them to establish a command and control (C2) channel through a proxy, further evading detection and maintaining their presence undetected.
The advisory is designed to help net defenders hunt for this activity on their systems.
It provides many network and host artifacts associated with the activity occurring after the network has been initially compromised, with a focus on command lines used by the cyber actor.
However, caution is advised as in the case of ‘living off-the-land’ techniques it is possible that some command lines might appear on a system as the result of benign activity and would be false positive indicators of malicious activity. Defenders must evaluate matches to determine their significance, applying their knowledge of the system and baseline behaviour.
For a full list of examples of network and host artifacts and a summary of Indicators of compromise (IOCs) follow the link in the ‘About this article’ section below.
The authoring agencies recommend organizations implement the mitigations below to improve their cybersecurity posture on the basis of the threat actor’s activity:
- Defenders should harden domain controllers and monitor event logs for exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
- Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
- Defenders should investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
- In addition to host-level changes, defenders should review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
- Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
- Defenders should forward log files to a hardened centralized logging server, preferably on a segmented network
‘Living off-the-land’ techniques pose a challenge for defenders as they exploit trusted resources, making them difficult to detect using traditional security controls. Organizations need to employ advanced security measures, such as behavior-based monitoring, anomaly detection, and robust endpoint protection, to mitigate the risk of such attacks.
It’s important to stay updated with the latest cybersecurity practices and maintain a strong security posture to protect against living off-the-land techniques and other evolving attack methods.