PRC-sponsored Volt Typhoon activity and supplemental living off the land guidance

The joint guidance, Identifying and mitigating living off the land (LOTL), outlines common techniques and gaps in cyber defence capabilities. It provides guidance for network defenders to detect and hunt for LOTL activity and mitigate associated risks. ;

Authoring agencies released this joint advisory for network defenders, including threat hunters, following identification of cyber threat actors — including state-sponsored actors from the People’s Republic of China (PRC) and the Russian Federation — using LOTL techniques in compromised critical infrastructure organisations.

The joint advisory, PRC state-sponsored actors compromise and maintain persistent access to U.S. critical infrastructure, urges critical infrastructure organisations to apply the outlined mitigations and hunt for malicious activity in parallel with the LOTL guidance.

The authoring agencies strongly urge critical infrastructure organisations to follow the prioritised best practice security measures and detection guidance to hunt for potential LOTL activity. These recommendations form part of a broader cybersecurity strategy designed to support more effective data correlation and analysis.

The advisory outlines how LOTL techniques have been used to compromise critical infrastructure. IT and OT administrators in critical infrastructure organisations should review the guidance to identify signs of exposure or unauthorised access within their environments.

Organisations should apply the mitigations listed in both advisories to reduce the likelihood and impact of future compromises or to detect and respond to malicious activity if it has already occurred.

Following this guidance will help disrupt Volt Typhoon’s access and reduce threats to critical infrastructure entities.

If activity is identified, organisations are strongly encouraged to apply the incident response recommendations and report the incident to incidents@ncsc.govt.nz