You are here

Joint Cybersecurity Advisory – People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

Joint Cybersecurity Advisory – People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection

Created: Thursday, May 25, 2023 - 14:51

WaterISAC regularly provides awareness of recent CISA reporting. While direct relevance to your utility/organization on the details of each report may vary, activity alerts like this are practical for general awareness of active threats and adversary capabilities.

Yesterday, CISA, the FBI, the National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) published a joint Cybersecurity Advisory (CSA) to highlight a People’s Republic of China (PRC) state-sponsored actor, also known as Volt Typhoon, that is actively working to compromise critical infrastructure networks and conduct malicious activity.

This advisory provides critical infrastructure organizations and network defenders with new insights into the specific tactics, techniques, and procedures (TTPs) used by PRC threat actors to gain and maintain persistent access into critical infrastructure networks. It demonstrates how PRC cyber actors use a technique called living off the land, which enables these actors to avoid detection by using legitimate network administration tools such as PowerShell, Windows Management Instrumentation (WMI), and Mimikatz.    

The CSA also includes indicators of compromise to help network defenders detect related malicious activity. The authoring agencies encourage network defenders to review the advisory and apply the included mitigations. Recommended mitigations which can help organizations prioritize their investments to most effectively mitigate this activity, include:  

  • Baseline protections include harden domain controllers, monitor event logs, limit port proxy usage within environments, and investigate unusual internet protocol (IP) addresses and ports.  
  • Logging recommendations include setting audit policy, hunt for windows management instrumentation (WMI) and PowerShell activity and enable logging on their edge devices.   
  • Prioritize mitigation of known exploited vulnerabilities (KEV), including those listed in the joint advisory and also in CISA's KEV catalog

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.govAccess the full advisory at CISA.