Chinese and Russian Legitimate Tool Attacks Mandate AI-Enabled Cyber Defenses
The U.S. government and companies must expand their use of artificial intelligence security capabilities in the war against cyber breaches and attacks.
In recent testimony, U.S. officials publicly warned of the dire threat of Chinese hackers. FBI Director Christopher Wray told the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party they “are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities if or when China decides the time has come to strike.”
A joint cybersecurity advisory highlights how hackers evade detection by abusing built-in network administration tools and processes that blend in with normal Windows systems and network activities in a technique called living off the land (LOTL). By utilizing tools typically employed by authorized users, instead of deploying malware, the attackers do not generate conventional signature-based indicators of compromise. While Chinese cyber activity has changed in this incident from espionage to disruption that relies on LOTL techniques in critical systems, the Russians are using the same techniques to destroy the same type of systems in war.
The shift toward LOTL will require a comparable shift from defenders, who will need to use behavioral analytics powered by artificial intelligence (AI) to better detect unusual activity on their networks. AI accelerates large-scale data analysis by collecting and exploring data, understanding characteristics, determining important variables and building data models. Machine learning, as a subfield of AI, trains algorithms on data sets to create the models. AI automatically detects anomalous activities and automatically provides alerts with context. AI-informed response policies can instantaneously contain damage, for instance by letting software directly block actions instead of relying on human interaction. The U.S. government and companies need to step up their implementation of AI-enabled cyber defenses in information technology, Internet of Things and operational technology networks.
LOTL techniques leverage legitimate tools that exist in the operating system, such as PowerShell and Windows Management Instrumentation. Attackers also use dual-use tools, for example, remote administration or network scanning utilities. Unlike malware, which can be flagged by security solutions, the misused tools are normally whitelisted (or allowlisted) for system admin usage. In 2021, some of these tools were seen in Chinese state-sponsored cyber operations, such as Remote Desktop Protocol for external access or PowerShell to conduct network reconnaissance. However, Chinese actors at the time predominately used malware in the attack chain. For instance, the group APT41, linked to Chinese intelligence, used 46 versions of malware to hack more than 100 companies in the United States and overseas.
The discovery in May 2023 of a new Chinese state-sponsored threat actor, Volt Typhoon, in telecommunications systems in Guam and other locations in the United States, represents a concerning example of LOTL in potentially disruptive attacks. Microsoft found that Volt Typhoon rarely uses malware in their activity after penetrating a system; instead, they rely on LOTL techniques. Intrusions in Guam are troubling as its ports and bases would be central to any American military response to an invasion or blockade of Taiwan. Other victims are a water utility in Hawaii, a major West Coast port, at least one oil and gas pipeline, and an attempt to penetrate the Texas power grid. The actor’s choice of targets is not consistent with traditional cyber espionage. While the hidden code could interrupt American military deployments or resupply operations, the impact could be broader as infrastructure that supports military bases supplies nearby houses and businesses of ordinary Americans.
Volt Typhoon uses built-in network administration tools to achieve its objectives, including PowerShell commands to obtain valid user login credentials, Windows Management Instrumentation command-line to gather information about local drives and Impacket to redirect output to a file within the victim. National Security Agency officials say the two toughest challenges with these techniques are determining that a compromise has occurred and having confidence that the actor was evicted after detection. Federal agencies are still finding victims targeted by Volt Typhoon and making sure to clear out intrusions. Mandiant CEO Kevin Mandia says some victims “won’t know they’re impacted.” Volt Typhoon is seemingly trying to maintain persistence on systems. Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA), testified that Volt Typhoon targeting of critical infrastructure is “to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will.”
The use of LOTL to enable cyber operations during active conflicts is already clear in Ukraine. Russian threat actors have exploited built-in system functionalities or external tools to conduct malicious actions on compromised systems. Their misuse of Windows-based software includes the legitimate WinRAR program, which is popular in the region, to archive stolen files. In July 2023, analysts from Mandiant, American cybersecurity company and subsidiary of Google, determined that the Russian General Staff Main Intelligence Directorate (GRU) and other Russian threat clusters were using a repeatable playbook for high-tempo operations. After entering systems by leveraging compromised routers, firewalls and mail servers, they use legitimate tools for reconnaissance, lateral movement and data theft to limit malware exposure before deploying a wiper or other disruptive tool.
Russian actors have used LOTL extensively in their attacks on critical infrastructure. For example, the GRU group Sandworm used Impacket to create a Windows scheduled task or invoke an encoded PowerShell command to execute the Prestige ransomware payload on transportation and logistics systems in Ukraine and Poland. Sandworm also used operational technology-level LOTL techniques to compromise Ukraine’s energy grid, running a native utility to execute unauthorized control commands that switched off substations and caused a power outage that coincided with mass missile strikes on critical infrastructure. Mandiant claimed that by using LOTL techniques, Sandworm decreased the time and resources required to conduct the cyber physical attack.
Ransomware gangs also use LOTL techniques to attack critical sectors without concern over the impact. For instance, the Russian-speaking LockBit 3.0 gang disrupted emergency care at three German hospitals over Christmas weekend. LockBit has compromised computer systems at the Port of Lisbon and the Port of Nagoya, which shut down container operations for days. LockBit relies on legitimate programs in the ransomware attack chain. As an example, LockBit uses PowerShell to execute commands to retrieve an encoded script that creates a backdoor avenue on infected systems and uses the Windows Task Scheduler to execute malicious script commands at specific times or intervals. These scripts help maintain access to the system after reboots or user logins.
Defenders need to change the way they defend against cyber attacks as threat actors shift toward using native tools to steal information and disrupt critical infrastructure. A consistent theme in joint cybersecurity advisories is to identify, detect and investigate abnormal activity. Industry security experts agree to search for anomalies or outliers, such as users active at unusual times or those employing command interfaces that are uncommon for the environment. Likewise, National Security Agency officials advise cyber defenders to look for abnormalities in patterns of user and computer behavior that could flag malicious activity.
Microsoft solutions imply that instead of looking for indicators of compromise alone, a more effective way to defeat LOTL attacks is to search for indicators of attack. For instance, Microsoft Defender for Endpoint (MDE) queries suspicious but previously undetected activity to the Microsoft cloud that applies machine learning to determine whether the activity is malicious or not a threat. Microsoft Defender Antivirus (MDAV) also detects post-compromise activity. MDAV uses attack surface reduction rules to block credential stealing, process creations originating from PsExec and WMI commands and potentially disguised scripts. MDE/MDAV agents are typically deployed on servers, laptops, tablets and mobile devices. Meanwhile, Microsoft Defender for IoT is a security monitoring solution for enterprise Internet of Things and operational technology devices. It leverages behavioral analytics and threat intelligence to catch LOTL tactics missed by static indicators of compromise. For Internet of Things, sensors are deployed on routers, switches, cameras, printers, and for operational technology, sensors are deployed on industrial control systems.
A new joint cybersecurity advisory reveals that Volt Typhoon had access to some of their victim’s computer networks for “at least five years.” Just as alarming is that Russian government cyber actors have penetrated control rooms of U.S. electric utilities, where they “got to the point where they could have thrown switches” to disrupt power flows. The potential for these state actors to wreak havoc and interrupt American military operations is real if not detected. Joint guidance provides mitigations applicable to LOTL activity, regardless of threat actor, to include “leveraging machine learning anomaly detection capabilities.” A number of security firms are employing platform-centric architectures, including AI-powered tools in cloud delivered protections. Surveys that indicate AI security capabilities minimize time to identify and reduce cost of breaches provide evidence of significant return on investment. The U.S. government and companies can follow a series of steps to expand their use, including choosing to invest in them, working with companies to implement them and ensuring their incident response policies capitalize on AI-powered behavioral analytics.
Dr. Scott Jasper is a senior lecturer in the National Security Affairs Department at the Naval Postgraduate School and the author of "Russian Cyber Operations: Coding the Boundaries of Conflict" by Georgetown University Press.
The views presented are those of the author and do not necessarily represent the views of the Department of Defense, the Department of the Navy, or the Naval Postgraduate School.
