Australian Organisations Take Note: Countering PRC State-Sponsored Cyber Threats

The Australian Cyber Security Centre (ACSC) is urging Australian organisations to be vigilant against cyberattacks by state-sponsored actors of the People’s Republic of China (PRC). A joint Cybersecurity Advisory (CSA) issued in February by the ACSC, alongside its international counterparts, including the US, UK and NZ, highlights a concerning trend: PRC actors are compromising and maintaining persistent access (persistence) within US critical infrastructure networks. While the advisory focuses on US infrastructure, the ACSC warns that Australian organisations need to be prepared for similar tactics.

The Stealthy Infiltration: Living off the Land.

The advisory sheds light on a particularly concerning tactic employed by these actors – “living off the land” (LotL). LotL involves leveraging legitimate system administration tools and functions like Windows PowerShell to perform malicious activities. This technique allows attackers to evade detection because their actions blend in with normal network activity.

Countering LotL: Shining a Light on the Shadows.

Here’s how Australian organisations can counter LotL:

• Heightened Network Monitoring: Increase monitoring for unusual activity within your network. Look for anomalies in typical user behaviour, particularly administrative accounts. Tools that can help include User Entity and Behaviour Analytics (UEBA) and Security Information and Event Management (SIEM) solutions.
• Endpoint Detection and Response (EDR): Implement EDR solutions that can detect and respond to suspicious activity on user endpoints (laptops, desktops, etc.) EDR solutions can monitor the use of legitimate tools for malicious purposes.
• Inventory and Harden Systems: Regularly scan your IT environment for vulnerabilities. Disable all unnecessary functionalities and patch systems with the latest cyber security updates. This reduces your attack surface and comprises two of the ACSC Essential 8.
• Administrative Account Controls: Implement stricter controls around administrative and other “privileged” accounts. These accounts should be used sparingly and only for authorised purposes. Multi-factor authentication (MFA) should be mandatory for all administrative access, in fact, for all user accounts as specified in the Essential 8.
• Educate Staff: Train your staff to be vigilant against social engineering attacks. Attackers commonly use phishing emails and suspicious links to gain initial access to a network. Educate employees on how to identify and report these attempts.

Maintaining Persistence: Locking the Backdoor.

The advisory warns that once initial access is gained, PRC actors attempt to establish persistence within the network. This allows them to maintain long-term access and launch future attacks. Countering Persistence: Segmentation and Detection Here are some measures to counter persistence tactics:

• Network Segmentation: Segment your network to limit the lateral movement of attackers within your system. This essentially divides your network into smaller zones, making it more difficult for attackers to access critical resources.
• Least Privilege Access: Implement the principle of least privilege. Grant users only the minimum level of access required to perform their jobs. This reduces the potential damage an attacker can cause if they compromise a user account.
• Regular Security Audits: Conduct regular security audits to identify and remediate any vulnerabilities within your network. Penetration testing and Breach Attack Simulation can help identify weaknesses in your defences.

Beyond the Technical: Continuous Vigilance.

While the focus has been on technical countermeasures, it’s crucial to emphasise the importance of continuous cyber threat intelligence. Leverage resources from the ACSC like this advisory on identifying and mitigating LotL techniques, and sign up for their partner program. If you find all this overwhelming, Macquarie Government can help! We’ve been protecting Australian Government agencies and the businesses that support them for over 20 years. Leverage our experience by getting in touch using the form below.