Typhoon Warning: an urgent cyber warning from international cyber agencies
29 May 2023
29 May 2023
That is the extraordinary message published by the United States National Security Agency (NSA) and Cybersecurity Infrastructure Security Agency (CISA). It is particularly extraordinary that the agencies believed the threat so significant they took the step of alleging the activity is state-sponsored. Such steps are not taken lightly.
Most significant for organisations in Australia and the UK, and for critical infrastructure providers, is that it was published as a joint advisory by the "Five Eyes" group of nations (US, AU, NZ, UK, CAN), demonstrating that they all believe there is a clear and direct threat of similar attacks in those countries.
Surveillance-orientated threat actors are a particularly challenging and insidious threat. They are not motivated by money or extortion. They are patient, they are determined, using stealthy and highly sophisticated methods. The required mitigations are in many cases very proactive, challenging all but the most sophisticated and well-resourced cyber teams.
Initial access is achieved in multiple ways but includes the use of unknown exploits (potentially zero-day) in commonly used firewalls. The actor is also able to harvest credentials (eg passwords) from devices and may even abuse the device post-compromise, to hide its traffic into and out of an organisation. Such unknown vulnerabilities by definition have no known remediation, making them very hard to close.
Once inside a network, using harvested credentials (or stolen credentials, which they are also known to use), a threat actor will employ a suite of tactics, techniques and procedures (TTPs) known collectively as "living off the land" (LOTL) – rather than using custom developed malware (malicious software) or even off-the-shelf malware (both of which can be detected by most Endpoint Detection and Response scanning software) they use built-in Microsoft Windows tools and commands, weaponising them against their targets.
These are legitimate commands and tools often used by network administrators and Windows system administrators, making their abuse particularly difficult to detect. Even with advanced tools and techniques such as application whitelisting, an attacker living off the land can be difficult to detect and prevent – their tools are often added to organisations' application whitelists to allow their use for legitimate administrative activity.
Another advanced technique being used is storing compromised information (credentials, system information, network info) in password protected archives to avoid detection by typical scanning and defence techniques. Rather ironically, Microsoft Defender was in the cyber media spotlight last week because independent analysts discovered that it was scanning inside password protected archives, so there are tools available that have the ability to detect such techniques.
Living off the land activities, using apparently legitimate tools and utilities, are almost impossible to detect with traditional anti-virus tools. Detection requires behavioural scanning and pattern detection tools and techniques (rather than signature-based tools) and these are, by their nature, reactive methodologies – once detected, the threat actor is already inside the environment.
Proactive monitoring for illegitimate use of legitimate tools, hardening accounts against compromise by using multi-factor authentication, as well as using up-to-date threat intelligence and patching vulnerabilities as soon as possible (immediately in the case of zero-day vulnerabilities), are all essential. Even these hygiene measures can be difficult to apply if an attacker is already inside a network – for example, multi-factor authentication might not prevent compromised accounts being used once inside a network.
Detecting unusual activity is just the first step. Many indicators of an attacker living off the land activity look like normal network activity – don't assume your network has been compromised without investigating further. This uncertainty makes responding in the moment particularly fraught – when should you shut down or isolate systems? When should you report activity as a cybersecurity incident? Having an efficient and well-understood escalation and decision-making process can make all the difference.
For detailed detection, mitigation and hunting techniques, review the joint cybersecurity advisory, advisories from the Australian Cyber Security Centre and the UK National Cyber Security Centre, and Microsoft’s threat intelligence.
Financially motivated threat actors announce their presence loudly, and approach targets with clear business objectives of disruption and financial gain. In a ransom attack, the amount of the ransom is a rational price to minimise harm, with the threat of harm acting as leverage for payment.
The tactics and motivations of actors focused on espionage and information gathering, on the other hand, can represent an (almost) invisible threat, with no business rationality. Their motivations are long-term and may evolve over time.
Living off the land tactics challenge traditional security and response thinking, with broad ramifications. Living off the land tactics can be used by a financially motivated attacker to build knowledge for use in a later more disruptive attack – but other actors might never announce their presence.
Critical infrastructure providers in particular need to rethink their cyber response.
The joint security advisory emphasises that no-one is immune to attack – and stresses the strategic value of critical infrastructure sectors. Significant focus has been given to building resilience to threat actors whose ultimate goal is to extort a ransom payment – but dealing with less obvious threats requires a shift in mindset.
A sophisticated and determined adversary presents an asymmetric threat – once you are targeted, you will very likely be compromised. You must assume you will be compromised at some stage – plan for it, and build readiness, response and resilience.
Authors: John Macpherson, Partner Risk Advisory; John Moore, Director Risk Advisory; Amanda Ludlow, Partner Digital Economy Transactions; Andrew Hilton, Expertise Counsel Digital Economy Transactions.
This is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, both part of the Ashurst Group.
The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.