Staying hidden - the name of the game
Staying hidden is the name of the game. Especially if you target critical infrastructure.
US based Cybersecurity and Infrastructure Security Agency (CISA) and several other public and private sector partners (including Palo Alto Networks) are warning against a nation-state threat actor attributed to China. Called Volt Typhoon, this actor is “living off the land”, i.e. uses built-in legitimate network administration tools to target and infiltrate critical infrastructure companies across the world.
This allows the actor to evade detection by blending in with normal Windows system and network activities.
Worth noting is reliance on Windows and Active Directory to facilitate reconnaissance and lateral movement.
As seen in this case, threat actors will become more “careful” and evasive, raising the importance of correlated detection rules and telemetry obtained by EDR/XDR technology implemented across all assets.
Learn more on the tactics and techniques used by this threat actor - click here.