NSA and partners identify Chinese state-backed cyber actor using embedded network tools while targeting US critical infrastructure


The National Security Agency (NSA) and its allies have targeted US critical infrastructure using ground-based techniques to identify indicators of consent (IOCs) linked to a cyber actor supported by the People’s Republic of China (PRC).

“Cyber ​​actors have found it easier and more effective to use capabilities already built into critical infrastructure. A state-sponsored actor in the PRC is living off the ground, using built-in network tools to evade our defenses and leave no trace,” he said. Rob Joyce“This makes it imperative that we work together to find and remove this actor from our critical networks,” said the NSA’s director of cybersecurity.

The NSA is taking the lead in publicly releasing US and Five Eyes partner agencies to help network defenders hunt down and detect this kind of malicious activity by PRC actors on their systems. “People’s Republic of China to track state-sponsored cyber actor from the ground up,” Cyber ​​Security Council (CSA) Today. Partner agencies include:

• US Cyber ​​Security and Infrastructure Security Agency (CIA)
• Federal Bureau of Investigation (FBI).
• Australian Cyber ​​Security Center (ACSC)
• Canadian Center for Cyber ​​Security (CCCS)
• New Zealand National Cyber ​​Security Center (NCSC-NZ)
• UK National Cyber ​​Security Center (NCSC-UK)

“For years, China has been conducting operations to steal intellectual property and sensitive information from critical infrastructure organizations around the world.” Jane Easterly“Today’s advisory, issued jointly with the United States and our international partners, reflects how China is using sophisticated means to target our nation’s critical infrastructure,” said CISA Director. This joint advisory provides additional insights into how network defenders can detect and mitigate this malicious activity. At the same time, we must recognize the agility and capabilities of the PRC’s cyber actors and focus on continued investments in strong cybersecurity practices such as network segmentation and resilience to critical operations in all scenarios. As our nation’s cyber defense agency, CIS stands ready to help any affected organization and we encourage all organizations to visit our website to help strengthen their networks.

“The FBI continues to warn against China’s use of identified techniques to target critical infrastructure organizations and conduct malicious activities,” it said. Brian VorandranAssistant Director of the FBI’s Cyber ​​Division. “We, along with our federal and international partners, will not allow the PRC to continue to use these unacceptable tactics. The FBI strives to share information with our private sector partners and the public to better protect against this targeted malicious activity.

“As outlined in this joint advisory with our international partners, it is imperative that operators of critical national infrastructure take action to prevent attackers from sneaking into their systems,” he said. Paul ChichesterNCSC Operations Director. “We strongly encourage UK essential service providers to follow our guidance to detect this malicious activity and prevent ongoing compromise.”

“Canadian Cyber ​​Security Center joins international partners in sharing these newly identified threats and associated mitigation measures with critical infrastructure sectors,” he said. Sami KhouryHead of the Canadian Cyber ​​Security Centre. “The interconnected nature of our infrastructure and economies underscores the importance of working together with our partners to identify and share threat intelligence in real time.”

CSA provides guidance on hunting and related best practices. Includes examples of actor commands and test signatures. Author agencies include a summary of commonly used file names and IOC values, such as unique command-line strings, hashes, file paths, the CVE-2021-40539 exploit and CVE-2021-27860 vulnerabilities, and filenames. This actor.

As one of their primary tactics, techniques and procedures (TTP), a PRC actor uses pre-installed or built-in weapons in a target system. This allows the actor to remain anonymous by integrating with normal Windows systems and network activity, avoiding endpoint detection and response (EDR) products, and limiting the amount of activity captured in default logging configurations.

The NSA recommends that network defenders implement the detection and hunting guidelines in the CSA, such as logging and monitoring command-line executions and WMI events, as well as using a centralized logging server to ensure log integrity, especially on a distributed network.

Defenders should monitor logs for Event ID 1102, which is generated when the audit log is cleared.

Behavioral indicators defined in the CSA may also be legitimate system management commands that appear in a safe activity. Defenders must evaluate matches to determine meaning, applying their knowledge of the system and baseline characteristics.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

NSA media relations
[email protected]

We offer you some site tools and assistance to get the best result in daily life by taking advantage of simple experiences