Five Eyes advisory raises alarm over state-backed 'living off the land' attacks
State-backed actors may be lurking in critical infrastructure systems, security agencies have warned
The UK’s National Cyber Security Centre (NCSC), along with its Five Eyes allies, has issued a new warning to critical infrastructure operators about ‘living off the land’ attacks.
Together with cyber security agencies in the US, Australia, Canada, and New Zealand, the NCSC said in its advisory that state-sponsored actors have been exploiting native tools and processes built into computer systems to blend in with legitimate system and network behavior.
This, the NCSC said, can make their activity difficult to distinguish – even for organizations with more mature security postures.
"In this new dangerous and volatile world where the frontline is increasingly online, we must protect and future proof our systems," said deputy prime minister Oliver Dowden. "By driving up the resilience of our critical infrastructure across the UK, we will defend ourselves from cyber attackers that would do us harm."
The new guidance - an update to a warning issued last May - warns that state-sponsored attackers from China and Russia have been observed living off the land on compromised critical infrastructure networks.
It gives advice on how to identify living off the land activity, and to mitigate and remediate if a compromise is detected.
Priorities, it said, should include implementing logging and aggregate logs in an out-of-band, centralized location and establishing a baseline of network, user, and application activity, with automation used to continually review all logs and compare activity.
Organizations should also work to reduce alert noise, implement application allow listing, enhance network segmentation and monitoring, implement authentication controls, and make use of user and entity behavior analytics (UEBA).
"It is vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems. Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services," said Paul Chichester, NCSC director of operations.
RELATED RESOURCE
What should you consider when evaluating a developer security platform?
DOWNLOAD NOW
"Organizations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks."
Alongside this guidance, the five countries have also issued a separate advisory that shares specific details about China state-sponsored actor Volt Typhoon. This group has been observed using living off the land techniques to compromise US critical infrastructure systems, mainly in the communications, energy, transport and water and wastewater sectors.
"It’s clear the US has grown increasingly concerned about the threat Volt Typhoon exposes its critical infrastructure to and is working to disband the adversary," said Ian McGowan, managing director at Barrier Networks.
"All critical organizations across the world have migrated their operations to digital today, yet this has made them more vulnerable to attack. Gas facilities use automated tools to manage critical processes, while electrical plants rely on automated tools to control the electricity supply into peoples’ home.
“But, if attackers find a way to get access to these systems, they can shut down these key services, causing serious damage to a country and its citizens."
-
Developers warned to avoid 'early-access' Google Gemini toolsNews Attackers are tempting would-be users into downloading reverse shell malware
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
NCSC issues alert over Russian hacker campaign targeting SOHO routersNews The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public services
News Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
The NCSC touts honeypots and ‘cyber deception’ tactics as the key to combating hackers — but they could ‘lead to a false sense of security’News Trials to test the real-world effectiveness of cyber deception solutions have produced positive results so far
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
