The cyber criminals who don’t want you to know they’re there

The UK’s National Cyber Security Centre (NCSC) has issued a timely reminder about state-sponsored attackers hanging out for long periods on critical infrastructure, writes Ryan Bell, senior manager of threat intelligence research at Corvus.

The tactic, known as living off the land (LOTL), or living off the orchard, if you’re talking macOS environments, has been a modus operandi of state actors for many years. However, the threat has recently been eclipsed by high-profile attacks using ransomware, which rose to a record level in 2023, Corvus data shows.

Unlike for-profit cyber criminals, whose tactics are often reminiscent of smash-and-grab-type shoplifters, state actors are more inclined to fly under the radar and take their time.

The benefits for cyber “lurkers” include the ability to siphon off information over a long period. The attack method also enables them to position themselves strategically, ready to escalate their activity, for example, if conflict between their backer and the target’s host nation breaks out. LOTL tactics also mean threat actors can strike without investing in developing their own cyber weaponry. One such group identified is Chinese state-backed Volt Typhoon, whose victims have included communications, energy, transportation, water and wastewater utilities, according to a report co-authored by state agencies in the US, Canada, the UK and Australasia.

Attackers manage to lurk undetected by deploying regular software that is either already used by the target, or may be legitimately used, such as remote monitoring and management tools. Many organisations lack systems that enable this type of activity to be detected and distinguished from regular user activity, making a threat actor’s job easier. Once in, attackers can manipulate settings to allow them to stay on the system without triggering alarm bells. As the state agencies’ report notes, they use LOTL tactics in multiple IT environments, including on-premises networks, cloud, hybrid, Windows, Linux and macOS.

Chief information security officers (CISOs) assessing their protocols should keep in mind that LOTL attacks are unevenly distributed by sector. For some businesses, this form of attack remains unlikely.

However, as the NCSC warned, critical infrastructure companies are highly targeted. So too are R&D-heavy businesses such as technology companies and biotech firms. China’s Five-Year Plans, the most recent of which was published in 2021, provide a helpful indication of which sectors should remain on alert. Currently, low-carbon technologies are high on the agenda, alongside innovation in general, with aerospace, biotech, neuroscience, AI, quantum computing and semiconductors specifically mentioned.

Key actions to stave off such attacks include protecting the perimeter of the IT environment, including ensuring internet-exposed software is up to date. Phishing-resistant multi-factor authentication is also vital, as are internal or external detection and response capabilities that are appropriate to the individual business. These include our Corvus Signal solution, which helps clients tailor their security controls to their own risk profiles and ensures they are investing for maximum impact. Whoever the provider, it’s important, too, that detection and response capabilities be configured to enable CISOs to distinguish the signal from the noise amid the vast number of alerts generated.

It is also crucial to know what normal activity looks like to be able to identify anything that does not fit that pattern. If, for example, Bob in IT appears to be suddenly logging on at 2.00 am from a disparate geographic region, the problem may not be employee insomnia or a sudden travel bug. Behaviour analytics are an important tool in this regard.

Cyber attackers are honing and developing their methods at alarming speed, but potential victims should neither succumb to panic nor lose sight of existing risk exposures and attack strategies, such as LOTL strikes, as new techniques rear their heads.

That’s all the more important given that in the insurance sector a debate is still raging about the insurability of critical infrastructure attacks, as Munich Re CEO Joachim Wenning recently made abundantly clear.

LOTL incursions are likely to become more common as geopolitical tensions rise and critical infrastructure becomes increasingly automated.

To fight those criminals hiding in plain sight, companies should remain assiduous about good cyber hygiene. They should also keep abreast of changes in their individual risk postures in order implement the cybersecurity enhancements most critical to their needs.