The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), along with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) are publishing a Joint Cybersecurity Advisory today that shares technical details regarding malicious activity by a People’s Republic of China (PRC) state-sponsored cyber actor. This advisory provides the cybersecurity community and critical infrastructure organizations with new insights into the specific tactics, techniques, and procedures used by PRC cyber actors to gain and maintain persistent access into critical infrastructure networks.
The advisory highlights how PRC cyber actors use techniques called living off the land to avoid detection. By using legitimate network administration tools, the actor blends in with normal system and network activities, avoid identification by many endpoint detection and response (EDR) products, and limit the amount of activity that is captured in common logging configurations.
“For years, China has conducted aggressive cyber operations to steal intellectual property and sensitive data from organizations around the globe,” said Jen Easterly, CISA Director. “Today’s advisory highlights China’s continued use of sophisticated means to target our nation’s critical infrastructure, and it gives network defenders important insights into how to detect and mitigate this malicious activity. As our nation’s cyber defense agency, CISA stands ready to support our partners in protecting the critical services our citizens rely on every day from the threat of disruption. We encourage all organizations to review the advisory, take action to mitigate risk, and report any evidence of anomalous activity. We must work together to ensure the security and resilience of our critical infrastructure.”
“Cyber actors find it easier and more effective to use capabilities already built into critical infrastructure environments. A PRC state-sponsored actor is living off the land, using built-in network tools to evade our defenses and leaving no trace behind,” said Rob Joyce, NSA Cybersecurity Director. “That makes it imperative for us to work together to find and remove the actor from our critical networks.”
“The FBI continues to warn against China engaging in malicious activity with the intent to target critical infrastructure organizations and use identified techniques to mask their detection,” said Bryan Vorndran, the FBI’s Cyber Division Assistant Director. “We, along with our federal and international partners, will not allow the PRC to continue to use these unacceptable tactics. The FBI strives to share information with our private sector partners and the public to ensure they can better protect themselves from this targeted malicious activity.”
“It is vital that operators of critical national infrastructure take action to prevent attackers hiding on their systems, as described in this joint advisory with our international partners,” said Paul Chichester, NCSC Director of Operations. “We strongly encourage UK essential service providers to follow our guidance to help detect this malicious activity and prevent persistent compromise.”
“The Canadian Centre for Cyber Security (part of the Communications Security Establishment) joins its international partners in sharing this newly identified threat and accompanying mitigation measures with critical infrastructure sectors, said Sami Khoury, Head of the Canadian Centre for Cyber Security. “The interconnected nature of our infrastructures and economies highlights the importance of working together with our allies to identify and share real-time threat information.”
The CSA provides technical information that can be used by network defenders to hunt for malicious cyber activity on their network, including a summary of relevant indicators of compromise (IOC) for quick reference. Recommended mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA to help organizations prioritize their investments to most effectively reduce risk. CISA and our partners will continue to provide targeted guidance and capabilities to help organizations address the risk of persistent access by adversaries using living off the land techniques, including through our Remote Monitoring and Management planning effort currently being undertaken by the Joint Cyber Defense Collaborative (JCDC).
CISA, NSA, FBI and international partners urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommended mitigations to strengthen their defenses and reduce threat of compromise from PRC state-sponsored malicious cyber actors. For more information on PRC cyber threat, visit China Cyber Threat Overview and Advisories.
All organizations should share information on cybersecurity incidents and anomalous activity to CISA. The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top. You can also reach CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected].