The discovery in May 2023 of a new Chinese state-sponsored threat actor, Volt Typhoon, in telecommunications systems in Guam and other locations in the United States, represents a concerning example of LOTL in potentially disruptive attacks. Microsoft found that Volt Typhoon rarely uses malware in their activity after penetrating a system; instead, they rely on LOTL techniques. Intrusions in Guam are troubling as its ports and bases would be central to any American military response to an invasion or blockade of Taiwan. Other victims are a water utility in Hawaii, a major West Coast port, at least one oil and gas pipeline, and an attempt to penetrate the Texas power grid. The actor’s choice of targets is not consistent with traditional cyber espionage. While the hidden code could interrupt American military deployments or resupply operations, the impact could be broader as infrastructure that supports military bases supplies nearby houses and businesses of ordinary Americans.
Volt Typhoon uses built-in network administration tools to achieve its objectives, including PowerShell commands to obtain valid user login credentials, Windows Management Instrumentation command-line to gather information about local drives and Impacket to redirect output to a file within the victim. National Security Agency officials say the two toughest challenges with these techniques are determining that a compromise has occurred and having confidence that the actor was evicted after detection. Federal agencies are still finding victims targeted by Volt Typhoon and making sure to clear out intrusions. Mandiant CEO Kevin Mandia says some victims “won’t know they’re impacted.” Volt Typhoon is seemingly trying to maintain persistence on systems. Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA), testified that Volt Typhoon targeting of critical infrastructure is “to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will.”
The use of LOTL to enable cyber operations during active conflicts is already clear in Ukraine. Russian threat actors have exploited built-in system functionalities or external tools to conduct malicious actions on compromised systems. Their misuse of Windows-based software includes the legitimate WinRAR program, which is popular in the region, to archive stolen files. In July 2023, analysts from Mandiant, American cybersecurity company and subsidiary of Google, determined that the Russian General Staff Main Intelligence Directorate (GRU) and other Russian threat clusters were using a repeatable playbook for high-tempo operations. After entering systems by leveraging compromised routers, firewalls and mail servers, they use legitimate tools for reconnaissance, lateral movement and data theft to limit malware exposure before deploying a wiper or other disruptive tool.
Russian actors have used LOTL extensively in their attacks on critical infrastructure. For example, the GRU group Sandworm used Impacket to create a Windows scheduled task or invoke an encoded PowerShell command to execute the Prestige ransomware payload on transportation and logistics systems in Ukraine and Poland. Sandworm also used operational technology-level LOTL techniques to compromise Ukraine’s energy grid, running a native utility to execute unauthorized control commands that switched off substations and caused a power outage that coincided with mass missile strikes on critical infrastructure. Mandiant claimed that by using LOTL techniques, Sandworm decreased the time and resources required to conduct the cyber physical attack.
Ransomware gangs also use LOTL techniques to attack critical sectors without concern over the impact. For instance, the Russian-speaking LockBit 3.0 gang disrupted emergency care at three German hospitals over Christmas weekend. LockBit has compromised computer systems at the Port of Lisbon and the Port of Nagoya, which shut down container operations for days. LockBit relies on legitimate programs in the ransomware attack chain. As an example, LockBit uses PowerShell to execute commands to retrieve an encoded script that creates a backdoor avenue on infected systems and uses the Windows Task Scheduler to execute malicious script commands at specific times or intervals. These scripts help maintain access to the system after reboots or user logins.
This post was originally published on 3rd party site mentioned in the title of this site
