The National Security Agency has collaborated with six other government agencies in the U.S. and other countries to issue an advisory over a China-sponsored cyber actor that blends in with legitimate software and networks to evade detection.
The cybersecurity warning, which was issued Wednesday by the Five Eyes intelligence alliance of the United States, Australia, Canada, New Zealand, and the United Kingdom, aims to help critical infrastructure network defenders find and detect the threat, known as Volt Typhoon.
The cyber actor’s behaviors were flagged by NSA’s private sector partners, which reported that it was using “living off the land” malware to attack critical infrastructure organizations without leaving a trace. It uses built-in tools such as wmic, ntdsutil, netsh, and PowerShell to avoid detection.
“This joint advisory will give network defenders more insights into how to detect and mitigate this malicious activity,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency. “At the same time, we must recognize the agility and capability of PRC cyber actors, and continue to focus on strong cybersecurity practices like network segmentation and ongoing investments in promoting the resilience of critical functions under all conditions,” added Easterly, a Wash100 awardee.
NSA Cybersecurity Director and fellow Wash100 honoree Rob Joyce echoed her remarks, stressing that it is “imperative for us to work together to find and remove the actor from our critical networks.”