Living-off-the-land (LOTL) attacks

21 - Aug 2023

Following the recent assault of the “Volt Typhoon” group on US infrastructure, it’s time for us to talk about living-off-the-land (LOTL) attack techniques that hackers use and how Level 0 can outsmart them.

“Volt Typhoon” is a Chinese state-sponsored malicious actor, preparing the ground for future world crises, through the development of powerful hacking capabilities to cause serious disruptions to opponents, whether in North America or Asia.

Microsoft has released a fascinating article (link below) about this group’s attack techniques, from data collection to exfiltration all the way towards achieving valid credentials to gain access into the system and establish their living-off-the-land strategy.

Microsoft’s report addresses serios issues in terms of exploitation, where signature-matching solutions fail to protect critical infrastructure from detecting hostile actions against the systems. In these attacks, the attacker is well-introduced to the system and is using LOTL techniques. LOTL is a form of attack that uses fileless malware, exploiting local, legitimate tools within the hacked system to carry out the attack. This makes it harder for security products to detect the unfolding of the attack by the hacker. The report, however, disregards another urging issue for critical infrastructure – the possible employment of living-off-the-land techniques in the Operational Technology (OT) environment.

The living-off-the-land tactic that “Volt Typhoon” has employed (like many other malicious actors), requires re-thinking in terms of OT cybersecurity. We must ask ourselves the following questions- how can we protect our critical assets, bearing in mind that any of the devices we use can be infected with a malicious code? If the attackers can easily infiltrate into our systems, introducing their changes, while going unnoticed, then how can we spot them?

Although the questions above are hard to answer, there is one, rather simple to implement, that could significantly change the power balance between the assaulter and the assaulted. Picture yourselves having the ability to perform “X-ray” scans of your plant at any given moment, to spot the any change, even the slightest one. Given you have that ability, you could monitor the plant’s performance, and set the scans such that they alert about detected anomalies, to ensure the plant’s engineers can mitigate the threat.

Now, forget about just picturing it, and begin envisioning it with Level 0.

While the attacker can target any of the plant’s machines, capitalizing on Level 0, and more specifically, on electrical signals, stemming directly from the critical assets in the production plant, operators can detect any deviation from the required parameters, while also receiving clear indications as to which I/O’s have been experiencing changes. Whilst no solution can prevent hackers from using the LOTL method, Level 0 can assure that every hacker’s action is monitored and reported, to provide operators with the information they require to avert cyberattacks.

Cybersecurity is all about out-smarting your opponents, so while hacker groups constantly evolve and take advantage of vulnerabilities of OT systems worldwide, Level 0 is the critical infrastructure’s engineers sophisticated protection tool, out-smarting malicious hackers, visualizing the activity in the physical systems at any given moment to detect anomalies.

Hackers living-off-your-land? Monitor their actions at any given moment to counter their attacks and safeguard your critical operations. Elevate your OT cybersecurity to Level 0.

#otcybersecurity #Level0OTresilience

Link to Microsoft’s report: