NCSC warns CNI operators over ‘living-off-the-land’ attacks

Malicious, state-backed actors may well be lurking in the UK’s most critical networks right now, and their operators may not even know until it is too late, warn the NCSC and its partners

Alex Scroxton,
Security Editor

Published: 07 Feb 2024 20:47

The UK’s National Cyber Security Centre (NCSC), together with its Five Eyes allies from Australia, Canada, New Zealand and the United States, have issued an urgent warning to operators of critical national infrastructure (CNI), sharing new details of how state-backed threat actors are using living-off-the-land techniques to persist on their networks.

Living-off-the-land refers to the exploitation of existing, legitimate tools on users’ IT systems in order to blend in to naturally occurring traffic that would not ordinarily raise any eyebrows. By exploiting these tools or binaries – also known as LOLbins – malicious actors can slip past security defences and teams with relative ease and operate discretely in the service of their paymasters.

The NCSC said that even organisations with the most mature cyber security techniques could easily fail to spot a living-off-the-land attack, and assessed it is “likely” that such activity poses a clear threat to CNI in the UK. As such, it is urging all CNI operators – energy suppliers, water companies, telecoms operators, and so on – to follow a series of recommended actions to help detect compromises and mitigate vulnerabilities.

In particular, it warned, both Chinese and Russian hackers have been observed living-off-the-land on compromised CNI networks – one prominent exponent of the technique is the GRU-sponsored advanced persistent threat (APT) actor known as Sandworm, which uses LOLbins extensively to attack targets in Ukraine.

“It is vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems,” said NCSC operations director Paul Chichester.

“Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services. Organisations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”

“In this new dangerous and volatile world where the frontline is increasingly online, we must protect and future proof our systems,” added deputy prime minister Oliver Dowden. “Earlier this week, I announced an independent review to look at cyber security as an enabler to build trust, resilience and unleash growth across the UK economy.

“By driving up the resilience of our critical infrastructure across the UK we will defend ourselves from cyber attackers that would do us harm,” he added.

Priority actions for defenders

While it is imperative for CNI operators to adopt a defence-in-depth approach to their cyber security posture as part of standard best practice – the newly-published guidance outlines a number of priority recommendations:

Security teams should implement logging and aggregate logs in an out-of-band, centralised location;
They should establish a baseline of user, network and application activity and implement automation to continuously review and compare activity logs;
They should reduce alert noise;
They should implement application allow-listing;
They should enhance network segmentation and monitoring;
They should implement authentication controls;
They should seek to leverage user and entity behaviour analytics (UEBA).

More detail on these and other recommendations have been published by the US authorities and are available to read on the Cybersecurity and Infrastructure Security Agency (CISA) website.

LogRhythm customer solutions engineer Gabrielle Hempel said: “Critical infrastructure systems are extremely complex and interconnected, which makes them not only difficult to secure against attacks, but requiring specialised knowledge to understand and mitigate any vulnerabilities they might have.

“Often, critical infrastructure organisations also have resource constraints, which makes it difficult to implement and maintain security measures both from a personnel and financial standpoint.”

The costs arising from attacks on CNI will likely be multi-stage, including the upfront cost of incident response, system recovery and replacement, and any regulatory fines and legal costs that may follow, said Hempel. However, following this there will also be intense supply chain disrupted cascading down through various systems that may ultimately drive up costs for consumers.

“The collaborative warning highlights the alarming fact that the same cyber threats are having an impact across the globe,” added Hempel.

“There are numerous opportunities for strengthening international collaboration, including the real-time sharing of information and intelligence, joint research initiatives, and development of unified standards and frameworks for cyber security.

“However, it is also important to stress the importance of developing public-private partnerships not only nationally, but on a global scale in order to truly address vulnerabilities and attacks on critical infrastructure across the board. Because these attacks simultaneously span the globe geographically and organisations from public to private, they need to be addressed across these planes as well,” she said.

Volt Typhoon blows in

At the same time, the Five Eyes agencies also published a separate advisory sharing details of the Chinese APT known as Volt Typhoon, which first came to attention via Microsoft in May 2023.

Volt Typhoon is another active exploiter of LOLbins, which it has used extensively to compromise CNI systems in the US in particular. Just last week, the US authorities disrupted one Volt Typhoon operation that saw the operation hijack hundreds of vulnerable Cisco and Netgear routers to create a botnet that was used to obfuscate follow-on attacks on CNI operators.

CISA said it had confirmed Volt Typhoon has compromised the networks of US CNI operators in the comms, energy, transport and water sectors.

The agency warned that the APT’s targeting and behaviour pattern is not consistent with traditional Chinese cyber espionage, which tends to focus on intellectual property (IP) theft.

As such, it assesses with a high degree of confidence that Volt Typhoon is pre-positioning itself to enable lateral movements to operational technology (OT) assets that they can disrupt should geopolitical tensions – notably over Taiwan – escalate into conflict.

“The PRC [People’s Republic of China] cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” said CISA director Jen Easterly.

“Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders. We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organisations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”

Read more on Hackers and cybercrime prevention

CISA: Volt Typhoon had access to some U.S. targets for 5 years