The government has issued a high alert for a Chinese cyber espionage campaign targeting critical infrastructure sectors that could be hard for network administrators to detect.
Australia and its Five Eyes security counterparts (US, UK, Canada, and New Zealand) squarely put the blame at a Chinese hacking group that Microsoft, which uncovered the widespread malicious activity, has dubbed Volt Typhoon.
The activity is particularly difficult to detect because it uses ‘living off the land’ techniques that don’t involve dropping malware onto compromised systems, opting instead for long-term monitoring through built-in Windows tools.
In a high alert advisory on Thursday morning, the Australian Cyber Security Centre (ACSC) offered a detailed explanation of the techniques and commands used to gain persistent, undetected access to compromised systems – but it warned that the techniques are hard to detect and could result in false positives.
“Many of the behavioural indicators included can also be legitimate system administration commands that appear in benign activity,” the ACSC advisory said.
“Care should be taken not to assume that findings are malicious without further investigation or other indications of compromise.”
Among the hackers’ commands are simple queries to understand drive details and general network topography, along with PowerShell commands that check for successful account logins.
One particularly technique to look out for is the dumping of copies of an Active Directory database file (ntds.dil) and the SYSTEM registry hive.
The ACSC warns that if network administrators detect both activities, “the entire domain should be considered compromised, as the actor will generally be able to crack the password hashes for domain user accounts, create their own accounts, and/or join unauthorised systems to the domain”.
Microsoft, in its write-up of the hacking campaign, said it was confident that Volt Typhoon “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises”.
“In this campaign, the affected organisations span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors,” Microsoft said.
“Observed behaviour suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible.”
ACSC recommends a series of mitigations including monitoring for processes used in the campaign and checking for “abnormal account activity”.
A full list of mitigations and indicators of compromise can be found on the ACSC advisory page.
Speaking on the ABC on Thursday morning, Home Affairs and Cyber Security Minister Clare O’Neil defended the government’s decision to oust the attackers as backed by the Chinese state at a time of diplomatic and trade repair with China.
“It's really important for our national security to call out when these things are occurring, and it's incredibly important that we have transparency and are upfront with Australians about that,” O’Neil said.
“That must be the overriding issue on a day like to today, and that is why the intelligence agency of the Australian Government has gone ahead and made this distinction.”