Business Insight

Typhoon Warning: an urgent cyber warning from international cyber agencies

29 May 2023

Share Share
Share

    Digital Economy and Risk Update

    What you need to know 

    • Typhoon warning – International cyber agencies are warning that a cyber threat actor known as "Volt Typhoon" is actively and successfully targeting US critical infrastructure, and that this type of attack could spread worldwide.
    • "Living off the land"  Volt Typhoon uses "living off the land" techniques – it uses normal inbuilt network administration tools and similar techniques so that attacks look like normal network activity, and do not trigger normal alerts and alarms.
    • We explain how Volt Typhoon is compromising networks, share recommendations on how to detect and mitigate the threat, and help you understand how your organisation can adapt to this escalating threat environment.
    • The threat is genuine and we recommend our clients respond immediately to protect themselves, particularly those in critical infrastructure sectors.

    What you need to do 

    • Understand that not all threat actors are motivated by money  and adapt your cyber readiness, response and resilience strategies accordingly.
    • Take immediate steps to detect and respond to illegitimate use of normal network tools.
    • Reconsider your security posture – make sure your cyber risk framework is built on a strong foundation of cyber threat intelligence and assessment. Cyber risk controls need to reach beyond criminally motivated threats.  We explore broader implications below.
    • Get across the joint cybersecurity advisory, advisories from the Australian Cyber Security Centre and the UK National Cyber Security Centre, and Microsoft’s threat intelligence.

    A cyber group called Volt Typhoon is actively and successfully targeting US critical infrastructure providers.

    That is the extraordinary message published by the United States National Security Agency (NSA) and Cybersecurity Infrastructure Security Agency (CISA). It is particularly extraordinary that the agencies believed the threat so significant they took the step of alleging the activity is state-sponsored. Such steps are not taken lightly.

    Most significant for organisations in Australia and the UK, and for critical infrastructure providers, is that it was published as a joint advisory by the "Five Eyes" group of nations (US, AU, NZ, UK, CAN), demonstrating that they all believe there is a clear and direct threat of similar attacks in those countries.

    Surveillance-orientated threat actors are a particularly challenging and insidious threat. They are not motivated by money or extortion. They are patient, they are determined, using stealthy and highly sophisticated methods. The required mitigations are in many cases very proactive, challenging all but the most sophisticated and well-resourced cyber teams.

    Initial compromise and lateral movement – "living off the land"

    Initial access is achieved in multiple ways but includes the use of unknown exploits (potentially zero-day) in commonly used firewalls. The actor is also able to harvest credentials (eg passwords) from devices and may even abuse the device post-compromise, to hide its traffic into and out of an organisation. Such unknown vulnerabilities by definition have no known remediation, making them very hard to close.

    Once inside a network, using harvested credentials (or stolen credentials, which they are also known to use), a threat actor will employ a suite of tactics, techniques and procedures (TTPs) known collectively as "living off the land" (LOTL) – rather than using custom developed malware (malicious software) or even off-the-shelf malware (both of which can be detected by most Endpoint Detection and Response scanning software) they use built-in Microsoft Windows tools and commands, weaponising them against their targets.

    These are legitimate commands and tools often used by network administrators and Windows system administrators, making their abuse particularly difficult to detect. Even with advanced tools and techniques such as application whitelisting, an attacker living off the land can be difficult to detect and prevent – their tools are often added to organisations' application whitelists to allow their use for legitimate administrative activity.

    Another advanced technique being used is storing compromised information (credentials, system information, network info) in password protected archives to avoid detection by typical scanning and defence techniques. Rather ironically, Microsoft Defender was in the cyber media spotlight last week because independent analysts discovered that it was scanning inside password protected archives, so there are tools available that have the ability to detect such techniques.

    Getting technical – practical defence and mitigation steps

    Living off the land activities, using apparently legitimate tools and utilities, are almost impossible to detect with traditional anti-virus tools. Detection requires behavioural scanning and pattern detection tools and techniques (rather than signature-based tools) and these are, by their nature, reactive methodologies – once detected, the threat actor is already inside the environment. 

    Proactive monitoring for illegitimate use of legitimate tools, hardening accounts against compromise by using multi-factor authentication, as well as using up-to-date threat intelligence and patching vulnerabilities as soon as possible (immediately in the case of zero-day vulnerabilities), are all essential. Even these hygiene measures can be difficult to apply if an attacker is already inside a network – for example, multi-factor authentication might not prevent compromised accounts being used once inside a network.

    Detecting unusual activity is just the first step. Many indicators of an attacker living off the land activity look like normal network activity – don't assume your network has been compromised without investigating further. This uncertainty makes responding in the moment particularly fraught – when should you shut down or isolate systems?  When should you report activity as a cybersecurity incident? Having an efficient and well-understood escalation and decision-making process can make all the difference.

    For detailed detection, mitigation and hunting techniques, review the joint cybersecurity advisory, advisories from the Australian Cyber Security Centre and the UK National Cyber Security Centre, and Microsoft’s threat intelligence.

    A different way of thinking about security

    Financially motivated threat actors announce their presence loudly, and approach targets with clear business objectives of disruption and financial gain. In a ransom attack, the amount of the ransom is a rational price to minimise harm, with the threat of harm acting as leverage for payment.

    The tactics and motivations of actors focused on espionage and information gathering, on the other hand, can represent an (almost) invisible threat, with no business rationality. Their motivations are long-term and may evolve over time.

    Living off the land tactics challenge traditional security and response thinking, with broad ramifications. Living off the land tactics can be used by a financially motivated attacker to build knowledge for use in a later more disruptive attack – but other actors might never announce their presence.  

    Critical infrastructure providers in particular need to rethink their cyber response.

    • Look at risk through the eyes of your attacker –  Cyber incident planning, data security and simulations often assume a financially motivated threat actor, or are calibrated around potential cost or harm to an organisation. Understand that the assets and information that are valuable to a state-sponsored attacker might not be considered commercially sensitive or critical to your business. Increasingly, state-sponsored threat actors may use insiders to compromise more secure environments.
    • Work towards zero trust – Critical infrastructure should increasingly adopt a posture of assumed breach or compromise.  Never trust, always verify and validate.
    • Think about insurance – Review your insurance policies and seek advice from your broker or legal adviser. Understand what is covered, and what is not. This different threat model will challenge assumptions around insurance – Lloyd's of London now requires its market insurers to exclude coverage for state-sponsored cyber-attacks. Responding to living off the land activity, and the harm an organisation might suffer (for example due to shutting down or isolating systems) might not be covered. How will this affect your on-the-ground response?
    • Recalibrate security investment and secure sustainable funding – Security investment is traditionally driven by the direct business risk of a cyber-incident, assuming a ransom payment is the threat actor's ultimate objective. This approach takes no account of broader risks to the economy and society from a state-sponsored threat actor. Sectors requiring significant investment to address state-sponsored threats may need to push alternative strategies to fund cyber resilience (for example, government support, incentives, co-investment models or industry levies).
    • What do you notify, to whom and when? By their nature, living off the land attacks look like normal activity – it may be unclear whether a network has been compromised at all, or what the motivations or likely impact of an attack will be. Knowing how and when to notify regulators and other authorities, as well as insurers and other stakeholders, is difficult – particularly within the tight 12- and 72-hour timeframes required for example under Australia's Security of Critical Infrastructure Act 2018 (read more at Mandatory cyber incident reporting now live for Australia's critical infrastructure | Ashurst).
    • When will you pull the plug? One of the first responses to discovering a threat actor in your network is to shut down or isolate systems to contain the attack – the quicker you respond, the more you can contain the damage. But shutting down systems brings significant commercial, operational and recovery costs, and can impact supply chains. Sometimes, the cure is worse than the disease (particularly if you aren't sure if you are sick). Fast and efficient escalation and investigation could mean the difference between containing an attacker and letting them run free, and could avoid shutting down vital systems unnecessarily. 
    • Will the government step in? Governments may be more likely to exercise intervention powers (such as the Australian Government’s assistance powers under the Security of Critical Infrastructure Act 2018), where a state-sponsored attacker threatens national interests. We may see national security interests outstrip business interests when it comes to state-sponsored threats. There may be a disconnect between the steps a business wants to take to protect itself, and the measures a government wants to pursue to prevent broader harms, particularly when a threat actor is gathering intelligence rather than threatening direct harm.

    Expect to be compromised

    The joint security advisory emphasises that no-one is immune to attack – and stresses the strategic value of critical infrastructure sectors. Significant focus has been given to building resilience to threat actors whose ultimate goal is to extort a ransom payment – but dealing with less obvious threats requires a shift in mindset.

    A sophisticated and determined adversary presents an asymmetric threat – once you are targeted, you will very likely be compromised. You must assume you will be compromised at some stage – plan for it, and build readiness, response and resilience.

    Authors: John Macpherson, Partner Risk Advisory; John Moore, Director Risk Advisory; Amanda Ludlow, Partner Digital Economy Transactions; Andrew Hilton, Expertise Counsel Digital Economy Transactions.

    This is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, both part of the Ashurst Group.

    The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst.  Some members of the Ashurst Group are limited liability entities.

    Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts

    image

    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest

    Sign-up