The National Security Agency (NSA) and Central Security Service (CSS) this week released a threat advisory which highlights a cluster of activity being attributed to a China state-sponsored threat group.

The Cybersecurity and Infrastructure Security Agency (CISA), NSA and Federal Bureau of Investigation (FBI), along with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ) and the United Kingdom National Cyber Security Centre (NCSC-UK) published a Joint Cybersecurity Advisory on May 24, that shares technical details regarding malicious activity by a People’s Republic of China (PRC) state-sponsored cyber actor. The advisory provides new insights into the specific tactics, techniques and procedures used by PRC cyber actors to gain and maintain persistent access into critical infrastructure networks.

The advisory highlights how PRC cyber actors use techniques called living off the land to avoid detection. By using legitimate network administration tools, the actor blends in with normal system and network activities, avoid identification by many endpoint detection and response (EDR) products and limit the amount of activity that is captured in common logging configurations.