Search results
- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
People also ask
What are 'IOCs' associated with a PRC state-sponsored cyber actor?
What does a PRC state-sponsored cyber actor do?
What is PRC state-sponsored actors compromise & maintain persistent access to critical infrastructure?
Where can I find information on PRC state-sponsored cyber activity?
How do PRC state-sponsored cyber actors hide their activity?
What is NSA's 'PRC actor living off the land to evade detection' advisory?
Feb 7, 2024 · The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure ...
- People's Republic of China State-Sponsored Cyber Actor Living ...
The United States and international cybersecurity...
- People’s Republic of China State-Sponsored Cyber Actors ...
Since 2020, PRC state-sponsored cyber actors have conducted...
- People's Republic of China State-Sponsored Cyber Actor Living ...
Mar 19, 2024 · This fact sheet provides an overview for executive leaders on the urgent risk posed by People’s Republic of China (PRC) state-sponsored cyber actors known as “Volt Typhoon.”
- Summary
- Technical Details
- Background
- Artifacts
- Mitigations
- Logging Recommendations
- Indicators of Compromise (Iocs) Summary
- Command Execution
- References
- Acknowledgements
The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon(link is external). Private sector partners have identified tha...
This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the Appendix: MITRE ATT&CK Techniques for all referenced tactics and techniques.
The authoring agencies are aware of recent People’s Republic of China (PRC) state-sponsored cyber activity and have identified potential indicators associated with these techniques. This advisory will help net defenders hunt for this activity on their systems. It provides many network and host artifacts associated with the activity occurring after ...
Network Artifacts
The actor has leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity by having much of the command and control (C2) traffic emanate from local ISPs in the geographic area of the victim. Owners of SOHO devices should ensure that network management interfaces are not exposed to the Internet to avoid them being re-purposed as redirectors by malicious actors. If they must be exposed to the Internet, device owners and operator...
Windows Management Instrumentation
The actor has executed the following command to gather information about local drives [T1082(link is external)]: cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename" This command does not require administrative credentials to return results. The command uses a command prompt [T1059.003(link is external)] to execute a Windows Management Instrumentation Command Line (WMIC) query, collecting information about the storage devices on the local host, including d...
Ntds.dit Active Directory Database
The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive from Windows domain controllers (DCs) out of the network to perform password cracking [T1003.003(link is external)]. (The ntds.dit file is the main Active Directory (AD) database file and, by default, is stored at %SystemRoot%\NTDS\ntds.dit. This file contains information about users, groups, group memberships, and password hashes for all users in the domain; the SYSTEM registry hive contains the boot key that is u...
The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the threat actor’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPG...
To be able to detect the activity described in this CSA, defenders should set the audit policy for Windows security logs to include “audit process creation” and “include command line in process creation events” in addition to accessing the logs. Otherwise, the default logging configurations may not contain the necessary information. Enabling these ...
TTPs
1. Exploiting vulnerabilities [T1190(link is external)] in widely used software including, but not limited to: 1.1. CVE-2021-40539—ManageEngine ADSelfService Plus. 1.1.1. APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus. 1.2. CVE-2021-27860—FatPipe WARP, IPVPN, MPVPN. 1.2.1. An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software. 2. Using webshells for persistence and exfiltration [T1505.003(link is external)], with at least some of t...
File names and directory paths used in these commands are only meant to serve as examples. Actual names and paths may differ depending on environment and activity, so defenders should account for variants when performing queries. Note: Many of the commands are derivatives of common system administration commands that could generate false positives ...
Active Directory and domain controller hardening: 1. Best practices: Best Practices for Securing Active Directory | Microsoft Learn(link is external). CISA regional cyber threats: 1. PRC state-sponsored activity: China Cyber Threat Overview and Advisories. Microsoft Threat Intelligence blog: 1. Volt Typhoon activity: Volt Typhoon targets US critica...
The NSA Cybersecurity Collaboration Center, along with the authoring agencies, acknowledge Amazon Web Services (AWS) Security, Broadcom, Cisco Talos, Google's Threat Analysis Group, Lumen Technologies, Mandiant, Microsoft Threat Intelligence (MSTI), Palo Alto Networks, SecureWorks, SentinelOne, Trellix, and additional industry partners for their co...
May 24, 2023 · The National Security Agency (NSA) and partners have identified indicators of compromise (IOCs) associated with a People’s Republic of China (PRC) state-sponsored cyber actor using living off the land techniques to target networks across U.S. critical infrastructure.
Jun 10, 2022 · Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs).
Feb 7, 2024 · We are releasing this joint guidance for network defenders (including threat hunters) due to the identification of cyber threat actors, including the People’s Republic of China (PRC) and Russian Federation state-sponsored actors, using LOTL in compromised critical infrastructure organizations.
Feb 7, 2024 · The CSA, entitled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” is led by the Cybersecurity and Infrastructure Security Agency (CISA) in partnership with NSA, the Federal Bureau of Investigation (FBI), and additional government agencies.
