National Cyber Security Centre
Printable version

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

GCHQ’s National Cyber Security Centre and partners share details of how threat actors are using built-in tools to camouflage themselves on victims’ systems.

  • New joint advisory and guidance reveal state-sponsored actors are among attackers using ‘living off the land’ techniques to persist on critical infrastructure networks
  • UK critical infrastructure operators urged to follow advice to help detect and mitigate malicious activity

The UK and allies have issued a fresh warning to critical infrastructure operators yesterday (Wednesday) about the threat from cyber attackers using sophisticated techniques to camouflage their activity on victims’ networks.

The National Cyber Security Centre – a part of GCHQ – and agencies in the US, Australia, Canada and New Zealand have detailed how threat actors have been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.

This kind of tradecraft, known as ‘living off the land’, allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behaviour making it difficult to differentiate – even by organisations with more mature security postures.

The NCSC assesses it is likely this type of activity poses a threat to UK critical national infrastructure and so all providers are urged to follow the recommended actions to help detect compromises and mitigate vulnerabilities.

The new ‘Identifying and Mitigating Living Off The Land’ guidance warns that China state-sponsored and Russia state-sponsored actors are among the attackers that have been observed living off the land on compromised critical infrastructure networks.

Meanwhile, a separate advisory shares specific details about China state-sponsored actor Volt Typhoon which has been observed using living off the land techniques to compromise US critical infrastructure systems.

The Deputy Prime Minister Oliver Dowden said: 

“In this new dangerous and volatile world where the frontline is increasingly online, we must protect and future proof our systems. 

“Earlier this week, I announced an independent review to look at cyber security as an enabler to build trust, resilience and unleash growth across the UK economy.” 

By driving up the resilience of our critical infrastructure across the UK we will defend ourselves from cyber attackers that would do us harm.”

Paul Chichester, NCSC Director of Operations, said:

“It is vital that operators of UK critical infrastructure heed this warning about cyber attackers using sophisticated techniques to hide on victims’ systems.

“Threat actors left to carry out their operations undetected present a persistent and potentially very serious threat to the provision of essential services.

“Organisations should apply the protections set out in the latest guidance to help hunt down and mitigate any malicious activity found on their networks.”

The new advisory and joint guidance provide an update to a warning issued last May about China state-sponsored activity seen against critical infrastructure networks in the US that could be used against networks worldwide.

They include the latest advice to help network defenders identify living off the land activity and to mitigate and remediate if a compromise is detected.

While organisations should ensure they adopt a defence-in-depth approach as part of cyber security best practice, the 'Identifying and Mitigating Living Off The Land' guidance provides priority recommendations, which include:

  1. Implementing logging and aggregate logs in an out-of-band, centralised location
  2. Establishing a baseline of network, user and application activity and use automation to continually review all logs and compare activity
  3. Reducing alert noise
  4. Implementing application allow listing
  5. Enhancing network segmentation and monitoring
  6. Implementing authentication controls
  7. Leveraging user and entity behaviour analytics (UEBA)
Channel website:

Original article link:

Share this article

Latest News from
National Cyber Security Centre