NCSC warns CNI operators over ‘living-off-the-land’ attacks

Priority actions for defenders

While it is imperative for CNI operators to adopt a defence-in-depth approach to their cyber security posture as part of standard best practice – the newly-published guidance outlines a number of priority recommendations:

• Security teams should implement logging and aggregate logs in an out-of-band, centralised location;
• They should establish a baseline of user, network and application activity and implement automation to continuously review and compare activity logs;
• They should reduce alert noise;
• They should implement application allow-listing;
• They should enhance network segmentation and monitoring;
• They should implement authentication controls;
• They should seek to leverage user and entity behaviour analytics (UEBA).

More detail on these and other recommendations have been published by the US authorities and are available to read on the Cybersecurity and Infrastructure Security Agency (CISA) website.

LogRhythm customer solutions engineer Gabrielle Hempel said: “Critical infrastructure systems are extremely complex and interconnected, which makes them not only difficult to secure against attacks, but requiring specialised knowledge to understand and mitigate any vulnerabilities they might have.

“Often, critical infrastructure organisations also have resource constraints, which makes it difficult to implement and maintain security measures both from a personnel and financial standpoint.”

The costs arising from attacks on CNI will likely be multi-stage, including the upfront cost of incident response, system recovery and replacement, and any regulatory fines and legal costs that may follow, said Hempel. However, following this there will also be intense supply chain disrupted cascading down through various systems that may ultimately drive up costs for consumers.

“The collaborative warning highlights the alarming fact that the same cyber threats are having an impact across the globe,” added Hempel.

“There are numerous opportunities for strengthening international collaboration, including the real-time sharing of information and intelligence, joint research initiatives, and development of unified standards and frameworks for cyber security.

“However, it is also important to stress the importance of developing public-private partnerships not only nationally, but on a global scale in order to truly address vulnerabilities and attacks on critical infrastructure across the board. Because these attacks simultaneously span the globe geographically and organisations from public to private, they need to be addressed across these planes as well,” she said.

Volt Typhoon blows in

At the same time, the Five Eyes agencies also published a separate advisory sharing details of the Chinese APT known as Volt Typhoon, which first came to attention via Microsoft in May 2023.

Volt Typhoon is another active exploiter of LOLbins, which it has used extensively to compromise CNI systems in the US in particular. Just last week, the US authorities disrupted one Volt Typhoon operation that saw the operation hijack hundreds of vulnerable Cisco and Netgear routers to create a botnet that was used to obfuscate follow-on attacks on CNI operators.

CISA said it had confirmed Volt Typhoon has compromised the networks of US CNI operators in the comms, energy, transport and water sectors.

The agency warned that the APT’s targeting and behaviour pattern is not consistent with traditional Chinese cyber espionage, which tends to focus on intellectual property (IP) theft.

As such, it assesses with a high degree of confidence that Volt Typhoon is pre-positioning itself to enable lateral movements to operational technology (OT) assets that they can disrupt should geopolitical tensions – notably over Taiwan – escalate into conflict.

“The PRC [People’s Republic of China] cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” said CISA director Jen Easterly.

“Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders. We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organisations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”