Stories
Slash Boxes
Comments

SoylentNews is people

Multinational Man Hunt Underway for a 'Living Off the Land' Hacker Named Volt Typhoon

posted by janrinok on Tuesday May 30 2023, @06:53PM   Printer-friendly
from the fact-is-becoming-more-like-fiction dept.
Security

RunningWithWind writes:

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Volt Typhoon is being hunted by the Five Eyes partnership after attacking critical infrastructure in Guam and other locations. NSA is leading U.S. and Five Eyes partner agencies in publicly releasing the "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" Cybersecurity Advisory (CSA) today. The partner agencies include:

• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)

"For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe," said Jen Easterly, CISA Director.

[...] One of the actor's primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor's commands along with detection signatures to aid network defenders in hunting for this activity.

Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Multinational Man Hunt Underway for a 'Living Off the Land' Hacker Named Volt Typhoon | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 3, Interesting) by RamiK on Tuesday May 30 2023, @07:14PM

    by RamiK (1813) on Tuesday May 30 2023, @07:14PM (#1308932)

    Hang 'em!

    Really now, that pdf is basically describing a script kiddie copy-pasting off a how-to-manual they got at some (Chinese?) after-school "cyber" course... Like, I've seen this sort of scripting in vendor software for rockchip SoCs and the likes... I mean, I won't be surprised if all of this traces back to some $20 kit floating around in whatever passes for TOR in China.

    --
    compiling...

  • (Score: 1) by namefags_are_jerks on Tuesday May 30 2023, @07:52PM

    by namefags_are_jerks (17638) on Tuesday May 30 2023, @07:52PM (#1308935)

    Again I'm getting the warm fuzzies from someone bringing the Old mid-1980s Cracker Ways into the current age... In essence, "LOTL" is exactly what Marcus Hess got up too.

  • (Score: 2) by looorg on Tuesday May 30 2023, @09:36PM (2 children)

    by looorg (578) on Tuesday May 30 2023, @09:36PM (#1308946)

    Volt Typhoon, that is a cartoon villains name if I ever heard one before. He controls the weather with electricity?

    • (Score: 2) by NateMich on Tuesday May 30 2023, @09:49PM (1 child)

      by NateMich (6662) on Tuesday May 30 2023, @09:49PM (#1308950)

      He's either a jet fighter, or an X-Men character.

  • (Score: 1) by Runaway1956 on Tuesday May 30 2023, @11:04PM (6 children)

    by Runaway1956 (2926) Subscriber Badge on Tuesday May 30 2023, @11:04PM (#1308962) Journal

    Doesn't seem to mean what it used to mean. When you're fighting off wild dogs, coyotes, badgers, skunks and such to eat the food they wanted, THEN you are 'living off the land'.

    • (Score: 3, Interesting) by Mykl on Wednesday May 31 2023, @12:27AM (2 children)

      by Mykl (1112) on Wednesday May 31 2023, @12:27AM (#1308971)

      The mental image that came to mind when I read the headline was the Unabomber.

      I have never heard the term "Living off the Land" used in an IT context before. Sounds like a bunch of crap - all hackers use internal tools on a compromised system to an extent.

      • (Score: 2, Disagree) by zocalo on Wednesday May 31 2023, @07:14AM

        by zocalo (302) on Wednesday May 31 2023, @07:14AM (#1309004)
        The whole summary seems to be be a bunch of crap as I also got a similar mental image of some lone individual taking the concept of a "digital nomad" to the ultimate extremes. AFAICT from the linked PDF, "Volt Typhoon" appears to be one of those programatically generated names for an APT group Microsoft is now using, not an individual with that actual name (or pseudonym) as TFS implies. The group is believed to be a PRC-backed state actor targetting critical infrastructure so, most probably, they are paid by the Chinese government, work some semblence of office hours in a computer lab with their colleagues, and go home each night to do whatever they do for leisure. Not quite as romantic an image, huh?

        "Living of the Land" was a new one in this context to me as well. Apparently, it's a file-less attack-vector, that is to say you only use the resources and tools available to you on the target system, without downloading any additional malware or other tools to disk (into system memory is OK), and ideally not generating any unusual system logs as everything initially looks like legit OS behaviour. Basically, relying on a lot of obscure/low-level system management tools and command shells, which sounds like the cracking equivalent of playing an FPS on the extremely hard setting; not necessarily required, but impressive as fsck if you are good at it.
        --
        UNIX? They're not even circumcised! Savages!

      • (Score: 2, Informative) by lars_stefan_axelsson on Wednesday June 07 2023, @01:58PM

        by lars_stefan_axelsson (3590) on Wednesday June 07 2023, @01:58PM (#1310333)

        No, the term has been in use for quite some time now. Here's e.g. a whitepaper from Symantec from 2019: https://docs.broadcom.com/doc/living-off-the-land-turning-your-infrastructure-against-you-en [broadcom.com]

        --
        Stefan Axelsson

    • (Score: 2) by coolgopher on Wednesday May 31 2023, @01:38AM (1 child)

      by coolgopher (1157) on Wednesday May 31 2023, @01:38AM (#1308977)

      A good farmer keeps the ferals away without a fight. I hear fences are new cool invention :D

      • (Score: 4, Funny) by Opportunist on Wednesday May 31 2023, @09:25AM

        by Opportunist (5545) on Wednesday May 31 2023, @09:25AM (#1309019)

        Oh you kids with your newfangled intrusion prevention systems.

    • (Score: 2) by Opportunist on Wednesday May 31 2023, @09:23AM

      by Opportunist (5545) on Wednesday May 31 2023, @09:23AM (#1309018)

      When you're fighting off wild dogs, coyotes, badgers, skunks and such to eat the food they wanted, THEN you are 'living off the land'.

      Considering he's fighting off the Five Eyes over their surveillance network... yeah, I guess the comparison is apt.

(1)