Five Eyes advisory raises alarm over state-backed 'living off the land' attacks

The UK’s National Cyber Security Centre (NCSC), along with its Five Eyes allies, has issued a new warning to critical infrastructure operators about ‘living off the land’ attacks.

Together with cyber security agencies in the US, Australia, Canada, and New Zealand, the NCSC said in its advisory that state-sponsored actors have been exploiting native tools and processes built into computer systems to blend in with legitimate system and network behavior.

This, the NCSC said, can make their activity difficult to distinguish – even for organizations with more mature security postures.

"In this new dangerous and volatile world where the frontline is increasingly online, we must protect and future proof our systems," said deputy prime minister Oliver Dowden. "By driving up the resilience of our critical infrastructure across the UK, we will defend ourselves from cyber attackers that would do us harm."

The new guidance - an update to a warning issued last May - warns that state-sponsored attackers from China and Russia have been observed living off the land on compromised critical infrastructure networks.

It gives advice on how to identify living off the land activity, and to mitigate and remediate if a compromise is detected.

Priorities, it said, should include implementing logging and aggregate logs in an out-of-band, centralized location and establishing a baseline of network, user, and application activity, with automation used to continually review all logs and compare activity.

Organizations should also work to reduce alert noise, implement application allow listing, enhance network segmentation and monitoring, implement authentication controls, and make use of user and entity behavior analytics (UEBA).

"It is vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems. Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services," said Paul Chichester, NCSC director of operations.

"Organizations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks."

Alongside this guidance, the five countries have also issued a separate advisory that shares specific details about China state-sponsored actor Volt Typhoon. This group has been observed using living off the land techniques to compromise US critical infrastructure systems, mainly in the communications, energy, transport and water and wastewater sectors.

"It’s clear the US has grown increasingly concerned about the threat Volt Typhoon exposes its critical infrastructure to and is working to disband the adversary," said Ian McGowan, managing director at Barrier Networks.

"All critical organizations across the world have migrated their operations to digital today, yet this has made them more vulnerable to attack. Gas facilities use automated tools to manage critical processes, while electrical plants rely on automated tools to control the electricity supply into peoples’ home.

“But, if attackers find a way to get access to these systems, they can shut down these key services, causing serious damage to a country and its citizens."