Joint Advisory: PRC-sponsored Volt Typhoon Activity and Supplemental Living Off the Land Guidance

Today, the National Cyber Security Centre (NCSC) has joined international partners in publishing joint guidance titled, ‘Identifying and Mitigating Living Off the Land' and a cyber security advisory titled, ‘PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure’. 

The joint guidance, ‘Identifying and Mitigating Living Off the Land’ (LOTL) provides information on common LOTL techniques and gaps in cyber defense capabilities. It also provides guidance for network defenders to mitigate identified gaps and to detect and hunt for LOTL activity. The authoring agencies are releasing this joint advisory for network defenders (including threat hunters) due to the identification of cyber threat actors, including the People’s Republic of China (PRC) and Russian Federation state-sponsored actors, using LOTL in compromised critical infrastructure organisations. The authoring agencies strongly urge critical infrastructure organisations to apply the prioritised security best practices and detection guidance to hunt for potential LOTL activity. These recommendations are part of a multifaceted cybersecurity strategy that enables effective data correlation and analysis.

The joint advisory, ‘PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure’ urges critical infrastructure organisations to apply the mitigations and hunt for similar malicious activity using the guidance within this advisory in parallel to the Identifying and Mitigating Living Off the Land guidance. These mitigations are intended for IT and OT administrators in critical infrastructure organisations to reduce risk and impact of future compromise or detect and mitigate if malicious activity is discovered. Following the mitigations for prevention or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.

If activity is identified, we strongly recommend that critical infrastructure organisations apply the incident response recommendations in this advisory and report the incident to incidents@ncsc.govt.nz.

For more NCSC NZ updates, follow(external link) us on LinkedIn.