"NSA and Partners Identify China State-Sponsored Cyber Actor Using Built-in Network Tools When Targeting US Critical Infrastructure Sectors"
The National Security Agency (NSA) and its partners have identified indicators of compromise (IOCs) related to a People's Republic of China (PRC) state-sponsored cyber actor using living off the land (LOTL) techniques to target networks across the critical infrastructure of the US. NSA is leading US and Five Eyes partner agencies in releasing the "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" Cybersecurity Advisory (CSA) to help network defenders in hunting and detecting this type of malicious activity by PRC actors on their systems. The partner agencies include the US Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and UK National Cyber Security Centre (NCSC-UK). The CSA provides an overview of hunting tips and recommended practices. It contains examples of the actor's commands and signatures for detection. The authoring agencies also provide a summary of IOC values, such as unique command-line strings, hashes, file paths, exploitation of CVE-2021-40539 and CVE-2021-27860 vulnerabilities, and file names commonly used by this actor. This article continues to discuss the release of guidance regarding a PRC state-sponsored cyber actor targeting US critical infrastructure.