SoylentNews

Multinational Man Hunt Underway for a 'Living Off the Land' Hacker Named Volt Typhoon

posted by janrinok on Tuesday May 30, @06:53PM   
from the fact-is-becoming-more-like-fiction dept.

RunningWithWind writes:

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Volt Typhoon is being hunted by the Five Eyes partnership after attacking critical infrastructure in Guam and other locations. NSA is leading U.S. and Five Eyes partner agencies in publicly releasing the "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" Cybersecurity Advisory (CSA) today. The partner agencies include:

• U.S. Cybersecurity and Infrastructure Security Agency (CISA)
• U.S. Federal Bureau of Investigation (FBI)
• Australian Cyber Security Centre (ACSC)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ)
• United Kingdom National Cyber Security Centre (NCSC-UK)

"For years, China has conducted operations worldwide to steal intellectual property and sensitive data from critical infrastructure organizations around the globe," said Jen Easterly, CISA Director.

[...] One of the actor's primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor's commands along with detection signatures to aid network defenders in hunting for this activity.

---

Original Submission

• Re:'Living Off the Land' (Score: 2, Disagree) by zocalo on Wednesday May 31, @07:14AM

  by zocalo (302) on Wednesday May 31, @07:14AM (#1309004)

  The whole summary seems to be be a bunch of crap as I also got a similar mental image of some lone individual taking the concept of a "digital nomad" to the ultimate extremes. AFAICT from the linked PDF, "Volt Typhoon" appears to be one of those programatically generated names for an APT group Microsoft is now using, not an individual with that actual name (or pseudonym) as TFS implies. The group is believed to be a PRC-backed state actor targetting critical infrastructure so, most probably, they are paid by the Chinese government, work some semblence of office hours in a computer lab with their colleagues, and go home each night to do whatever they do for leisure. Not quite as romantic an image, huh?
  
  "Living of the Land" was a new one in this context to me as well. Apparently, it's a file-less attack-vector, that is to say you only use the resources and tools available to you on the target system, without downloading any additional malware or other tools to disk (into system memory is OK), and ideally not generating any unusual system logs as everything initially looks like legit OS behaviour. Basically, relying on a lot of obscure/low-level system management tools and command shells, which sounds like the cracking equivalent of playing an FPS on the extremely hard setting; not necessarily required, but impressive as fsck if you are good at it.

  --
  UNIX? They're not even circumcised! Savages!

  Parent

  Starting Score:	1		point
  Moderation		0
  Disagree=1, Total=1
  Extra 'Disagree' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		2