Chinese State-Sponsored Cyber Actor Detection: Joint Cybersecurity Advisory (CSA) AA23-144a Sheds Light on Stealty Activity by Volt Typhoon Targeting U.S. Critical Infrastructure
Table of contents:
For years, China has been launching offensive operations aimed at collecting intelligence and gathering sensitive data from U.S. and global organizations in multiple industries, with attacks frequently related to nation-backed APT groups, like Mustang Panda or APT41.
On May 24, 2023, NSA, CISA, and FBA, in conjunction with other U.S. and international authoring agencies, issued a joint cybersecurity advisory covering the recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. By gaining access to a corporate system, threat actors steal user login details and apply them to expand their access to other networks and maintain persistence, which enables Volt Typhoon to stay longer under the radar. According to the report, adversary activity impacts the U.S. critical infrastructure and poses a serious threat to cyber defenders by potentially expanding its scope of attacks to target multiple industry sectors on a global scale.
Detecting China State-Sponsored Volt Typhoon APT Attacks
In view of the intensifying tensions between the U.S. and China, the advanced persistent threat groups affiliated with the People’s Republic of China (PRC) are turning their sight to the targets within the United States of America. The latest joint advisory by NSA, CISA, FBA, and international authorities reveals a long-lasting cyber-espionage campaign leveraging living-of-the-land techniques to attack the U.S. critical infrastructure sector.
To help organizations detect the malicious activity linked to the Volt Typhoon, SOC Prime’s Platform for collective cyber defense aggregates a set of relevant Sigma rules. All detections are compatible with 25+ SIEM, EDR, and XDR solutions and mapped to MITRE ATT&CK framework v12 to help security professionals streamline the investigation and threat hunting operations.
Press the Explore Detections button below to immediately drill down to a detection content bundle aimed at detecting covert Volt Typhoon attacks leveraging living-off-the-land in the course of the latest intrusions. To simplify the content search, SOC Prime supports filtering by custom tags “AA23-144a” and “RPC” based on the CISA alert and hacking collective geo identifiers.
Equip Your SOC With Unique Detection Rule Set Against Prominent APT Groups Backed by China, Iran, and russia
Witnessing the escalation of the ongoing global cyber war for over a decade, SOC Prime team backed by our Threat Bounty Program members has been continuously analyzing the activities of prominent APT groups worldwide to craft curated detection content and help organizations enhance their cyber defense against state-sponsored threats. Our experts are on the cyber frontline since BlackEnergy attacks and NotPetya outbreak, aggregating the collective industry expertise and developing relevant detection content.
To date, SOC Prime’s Threat Detection Marketplace curates 1,000+ Sigma rules addressing prominent tactics, techniques, and procedures leveraged by Chinese, Iranian, and russian state-sponsored collectives. Using Threat Detection Marketplace powered by vendor-agnostic Sigma standard, SOC teams can be fully armed with the detection content addressing key APT actors’ TTPs regardless of their security solution in use.
The curated list of Sigma rules against Chinese, Iranian, and russian nation-backed hacking collectives is on its way, ready to equip cyber defenders with verified detection algorithms mapped to ATT&CK and convertible to 28 SIEM, EDR, and XDR solutions for proactive cyber defense. Stay tuned to our updates to be the first to unlock the entire collection of 1,000+ Sigma rules against related threats and leave no chance for attackers to strike.
Analysis of Volt Typhoon China-Backed APT Activity Covered in the Lates Joint CSA Alert
U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), along with other cybersecurity authorities have recently issued a joint Cybersecurity Advisory (CSA) throwing light on the newly uncovered malicious activity of Volt Typhoon nation-backed hacking collective. The group covered in this report is linked to the People’s Republic of China (PRC) and launches a series of offensive operations targeting networks across U.S. critical infrastructure sectors.
According to research by Microsoft, Volt Typhoon has been performing its offensive operations in the cyber threat arena since 2021, mainly targeting critical infrastructure in Guam and other parts of the U.S. across multiple industry sectors. The identified behavior patterns reveal the attacker’s objectives related to cyber-espionage activity and their focus on maintaining stealth and persistence.
The hacking group largely applies the living-off-the-land TTP from its adversary arsenal abusing built-in network admin tools to achieve its malicious objectives. The latter technique enables attackers to bypass detection by mingling with legitimate Windows systems and regular network operations and to evade EDR solutions. Volt Typhoon leverages PowerShell and a set of Microsoft Windows command-line utilities, like “ntdsutil” and “netsh” tools.
The attack chain involves three stages, including collecting credentials from compromised systems, storing the data in an archive to prepare it for exfiltration, and applying the retrieved credentials for persistence maintenance. At the initial stage, threat actors weaponize a vulnerability in the widely-used FortiGuard cybersecurity suite to gain access to corporate systems. After gaining access to the targeted environment, Volt Typhoon performs a hands-on-keyboard activity and relies on living-off-the-land commands for information search across the compromised networks and data exfiltration.
The CSA advisory covers a list of adversary commands and IOCs that can assist cybersecurity professionals to hunt for threats related to the above-mentioned China-linked APT.
According to the cybersecurity investigation, Volt Typhoon has applied impacted SOHO network devices to hide its malicious activity, which requires the immediate attention of the owners of these devices to prevent exposure to potential infection.
Also, hackers have been observed making attempts to exfiltrate the “ntds.dit” file with the sensitive data about users, groups, and password hashes along with the SYSTEM registry hive from Windows domain controllers. Volt Typhoon tries to generate a Shadow Copy and retrieve a copy of the “ntds.dit” file right from it. Threat actors are capable of performing these malicious operations and stealing user passwords via the Ntdsutil command-line utility that Microsoft Windows Server admins apply to manage AD and its related components, which requires close attention from cyber defenders when executing the tool commands.
To mitigate the risks, cybersecurity researchers also recommend following the guidelines on how to remove threat actors from compromised networks, such as the related CISA’s eviction guidance, as well as following best industry practices to reduce the attack surface and risk-optimize the cybersecurity posture, like enforcing strong multi-factor authentication, restricting port proxy usage within the environments, enabling cloud-delivered protection, and running EDR solutions in block mode, etc.
MITRE ATT&CK Context
To explore the in-depth context behind the ongoing targeted activity of the China-backed Volt Typhoon APT group, all Sigma rules provided within the detection stack above are tagged with MITRE ATT&CK addressing the corresponding tactics and techniques:
Tactics Techniques Sigma Rule Execution Command and Scripting Interpreter (T1059) Windows Management Instrumentation (T1047) Defense Evasion System Binary Proxy Execution (T1218) Virtualization/Sandbox Evasion (T1497) Indicator Removal (T1070) Impair Defenses (T1562) Hide Artifacts (T1564) Obfuscated Files or Information (T1027) Credential Access OS Credential Dumping (T1003) Unsecured Credentials (T1552) Discovery System Information Discovery (T1082) System Owner/User Discovery (T1033) Account Discovery (T1087) Network Service Discovery (T1046) System Network Configuration Discovery (T1016) Collection Archive Collected Data (T1560)