An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Home : Media : News : News Article View
NEWS | May 24, 2023

NSA and Partners Identify China State-Sponsored Cyber Actor Using Built-in Network Tools When Targeting U.S. Critical Infrastructure Sectors

National Security Agency/Central Security Service

The National Security Agency (NSA) and partners have identified indicators of compromise (IOCs) associated with a People’s Republic of China (PRC) state-sponsored cyber actor using living off the land techniques to target networks across U.S. critical infrastructure.

“Cyber actors find it easier and more effective to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” said Rob Joyce, NSA Cybersecurity Director. “That makes it imperative for us to work together to find and remove the actor from our critical networks.”

To assist network defenders to hunt and detect this type of PRC actor malicious activity on their systems, NSA is leading U.S. and Five Eyes partner agencies in publicly releasing the “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection” Cybersecurity Advisory (CSA) today. The partner agencies include:

• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)

“For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe,” said Jen Easterly, CISA Director. “Today’s advisory, put out in conjunction with our US and international partners, reflects how China is using highly sophisticated means to target our nation’s critical infrastructure. This joint advisory will give network defenders more insights into how to detect and mitigate this malicious activity. At the same time, we must recognize the agility and capability of PRC cyber actors, and continue to focus on strong cybersecurity practices like network segmentation and ongoing investments in promoting the resilience of critical functions under all conditions. As our nation’s cyber defense agency, CISA stands ready to aid any organization affected and we encourage all organizations to visit our webpage for guidance and resources to make their networks more resilient.”

“The FBI continues to warn against China engaging in malicious activity with the intent to target critical infrastructure organizations and use identified techniques to mask their detection,” said Bryan Vorndran, the FBI’s Cyber Division Assistant Director. “We, along with our federal and international partners, will not allow the PRC to continue to use these unacceptable tactics. The FBI strives to share information with our private sector partners and the public to ensure they can better protect themselves from this targeted malicious activity.”

“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,” said Paul Chichester, NCSC Director of Operations“We strongly encourage UK essential service providers to follow our guidance to help detect this malicious activity and prevent persistent compromise.”

“The Canadian Centre for Cyber Security joins its international partners in sharing this newly identified threat and accompanying mitigation measures with critical infrastructure sectors,” said Sami Khoury, Head of the Canadian Centre for Cyber Security. “The interconnected nature of our infrastructures and economies highlights the importance of working together with our allies to identify and share real-time threat information.

The CSA provides an overview of hunting guidance and associated best practices. It includes examples of the actor’s commands and detection signatures. The authoring agencies also includes a summary of indicators of compromise (IOC) values, such as unique command-line strings, hashes, file paths, exploitation of CVE-2021-40539 and CVE-2021-27860 vulnerabilities, and file names commonly used by this actor.

As one of their primary tactics, techniques, and procedures (TTP) of living off the land, the PRC actor uses tools already installed or built into a target’s system. This allows the actor to evade detection by blending in with normal Windows systems and network activities, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity that is captured in default logging configurations.

NSA recommends network defenders apply the detection and hunting guidance in the CSA, such as logging and monitoring of command line execution and WMI events, as well as ensuring log integrity by using a hardened centralized logging server, preferably on a segmented network.

Defenders should also monitor logs for Event ID 1102, which is generated when the audit log is cleared.

The behavioral indicators noted in the CSA can also be legitimate system administration commands that appear in benign activity. Defenders must evaluate matches to determine the significance, applying their knowledge of the system and baseline behavior.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.


NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

CONNECT WITH USINDOPACOM
Facebook

Like Us
Twitter
348,316
Follow Us

ENGAGE & CONNECT MORE WITH PACOM

                                                 

IN THE USINDOPACOM NEWS
U.S. Strengthening Deterrence in Taiwan Strait
The destroyer USS Chung-Hoon observes the Chinese navy destroyer Luyang III executing unsafe maneuvers as the U.S. ship was conducting a routine, south-to-north Taiwan Strait transit alongside the Canadian frigate HMCS Montreal, June 3, 2023.
Sept. 21, 2023 - The Defense Department is working with other government agencies, allies and friends to strengthen deterrence across the Taiwan Strait to ensure peace and prosperity in the Indo-Pacific region, Ely Ratner told the House Armed...

Koa Moana Marines Host Puma Training for Palau Maritime Law Enforcement
U.S. Marines with Task Force Koa Moana 23 and Palauan Maritime Law Enforcement Officers pose for a photograph at the conclusion of the Task Force Koa Moana RQ-20B Puma Training Course graduation at the Palau Joint Operations Center, Bureau of Maritime Security and Fish & Wildlife Protection, Koror, Palau, Sept. 14, 2023. Task Force Koa Moana 23, composed of U.S. Marines and Sailors from I Marine Expeditionary Force, deployed to the Indo-Pacific to strengthen relationships with Pacific Island partners through bilateral and multilateral security cooperation and community engagements. (U.S. Marine Corps photo by Staff Sgt. Courtney G. White)
Sept. 21, 2023 - U.S. Marines with Task Force Koa Moana 23 concluded the Task Force Koa Moana RQ-20B Puma Training Course with a graduation ceremony at the Palau Joint Operations Center, Bureau of Maritime Security and Fish & Wildlife...

U.S.-India Relationship Critical to Free, Open Indo-Pacific
U.S. Marines from the 3rd Amphibious Assault Battalion, 1st Marines, celebrate the end of a live fire exercise with Indian Army soldiers during exercise Bright Star 2023 in Egypt, Sept. 10, 2023.
Sept. 20, 2023 - A shared vision for a free and open Indo-Pacific bolsters the U.S.-India relationship as the two countries continue to strengthen defense ties, a senior Pentagon official said...

Innovating Logistics in the Pacific the 402nd Army Field Support Brigade Supports Talisman Sabre 23
The 8th Theater Sustainment Command Commander Maj. Gen. Jered Helwig, highlights key points of the Joint Logistics Over-the-Shore operation to the Secretary of the Army Christine Wormuth and other senior leaders during Talisman Sabre 2023 in Bowen, Australia, July 31, 2023. JLOTS demonstrates the critical capability of bringing vehicles and equipment to the shore in austere environments or when port facilities are unavailable. Talisman Sabre is the largest bilateral military exercise between Australia and the United States, with multinational participation, advancing a free and open Indo-Pacific by strengthening relationships and interoperability among key allies and enhancing our collective capabilities to respond to a wide array of potential security concerns.
Sept. 20, 2023 - The 402nd Army Field Support Brigade (AFSB) deployed in support of the 8th Theater Support Command and Talisman Sabre 23 (TS23) in Australia from June 19 through August 4...

US Army sustainers provide sealift to Australian armor for Super Garuda Shield
Australian Army M1A1 Abrams main battle tanks and vehicles are unloaded from the United States Army Vessel SSGT Robert T. Kuroda at Tanjung Perak Port in Indonesia during Exercise Super Garuda Shield 2023. At the invitation of Indonesian Armed Forces (TNI), Australia is contributing over 125 personnel from the Australian Defence Force (ADF) to Exercise Super Garuda Shield 2023 (SGS23). SGS23 is an TNI and United States Indo Pacific Command led bilateral training activity. It is focused on joint operations with international partners in and around East Java in Indonesia from 31 August to 13 September. Held since 2009, the ADF first participated in 2022, and in 2023 is contributing an Australian Army force element including a Troop of M1A1 Abrams tanks from the 1st Armoured Regiment. The contingent also includes an Infantry Platoon from the 10th/27th Battalion, Royal South Australian Regiment, command and control elements, and a range of armoured vehicles, trucks and recovery vehicles. (Photo by Australian Defence Force Cpl. Dustin Anderson)
Sept. 19, 2023 - With Logistics Support Vessel 7 SSGT Robert Kuroda already in Australia for Talisman Sabre 2023, the conditions were set to transport Australian Defence Force tanks and equipment to Indonesia for Super Garuda Shield...