The Canadian Centre for Cyber Security (the Cyber Centre) has joined the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the following international partners in releasing a cyber security advisory on PRC state-sponsored actors malicious cyber activity targeting critical infrastructure using living off the land (LOTL) techniques:
- Australian Cyber Security Centre (ACSC)
- New Zealand National Cyber Security Centre (NCSC-NZ)
- United Kingdom (UK) National Cyber Security Centre (NCSC-UK)
This joint cyber security advisory, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, warns that PRC state-sponsored cyber actors are seeking to pre-position for disruptive or destructive cyber attacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA and the Cyber Centre have released this guidance alongside the ASCS and the NCSC-UK.
The Cyber Centre assesses that the direct threat to Canada's critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration.
Accompanying guidance has also been released by CISA, NSA, ACSC, and NCSC-UK. Identifying and Mitigating Living Off the Land provides insight into techniques and common gaps in network defence capabilities.
Cyber threat actors leveraging LOTL abuse native tools and processes on systems. They use LOTL in multiple IT environments, including on-premises, cloud and hybrid. LOTL enables cyber threat actors to conduct their operations discreetly as they can camouflage activity with typical system and network behaviour, potentially circumventing basic endpoint security capabilities.
We are releasing this joint guidance for network defenders (including threat hunters) due to the identification of cyber threat actors, including the People’s Republic of China (PRC) and Russian Federation state-sponsored actors, using LOTL in compromised critical infrastructure organizations.
Read the joint guidance and advisory: