On 7 February 2024, several international government agencies released an advisory detailing how state-sponsored actors are achieving persistent access to U.S. critical infrastructure. Their findings correlate observed behavior from several sophisticated hacking entities over the last two years, highlighting the prevalence of Living off the Land (LOTL) techniques as both a favored initial access vector and a challenge for network defenders. Network-based attacks of this nature are particularly alarming for the space industry due to its complex network topology and ongoing digitization of ground stations, supported by the widespread adoption of the ground station-as-a-service (GSaaS) framework.

The adoption of LOTL techniques has gained traction in recent years, underscored by its use in several high-profile campaigns conducted since 2021. In many instances, threat groups are employing these tactics to gain persistent access to IT networks for disruptive cyberattacks against critical infrastructure, as stated by officials at the Cybersecurity and Infrastructure Security Agency (CISA). These recent developments follow observed activity from a slew of sophisticated cyber threat actors who have found success through the exploitation of small office/home office (SOHO) routers and other edge network devices. Notable examples include campaigns by BlackTech, BianLian and Volt Typhoon threat actors.

BlackTech is categorized as a cyber espionage group and has been active since 2012, most recently involved in a campaign targeting Cisco network equipment in U.S. and Japanese organizations. This activity, detailed in Threat Briefing 14, demonstrates how threat actors have used LOTL techniques to modify router firmware images and leverage domain-trust relationships for persistent access.

BianLian, a ransomware as a service (RaaS) developer and provider, focuses on extortion-based attacks targeting U.S. critical infrastructure sectors. With a name that translates loosely to “the art of changing faces,” BianLian is an adaptive threat group that has used LOTL tactics for reconnaissance and lateral movement to infiltrate network environments in the U.S.

Volt Typhoon is categorized as an advanced persistent threat (APT), has been active since 2021 and is a leader in the application of LOTL techniques. According to a Microsoft Threat Intelligence advisory in March 2023, Volt Typhoon has targeted critical infrastructure entities in Guam and the U.S., relying heavily on exploitation of local and network infrastructure, as well as living off the land binaries (LOLBins). To maintain persistence, the group leverages compromised SOHO network devices to obfuscate traffic and avoid detection.

The recent Joint Cybersecurity Advisory provides new insights into these group’s behavior, indicating that “Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations.” Officials assert that the purpose of these campaigns is to pre-position access on IT networks to enable lateral movement into operational environments, posing concerns to both manufacturing and supply chains for critical industries including space. Estimates claim that threat actors have used this approach to maintain persistence for over five years without significant detection.

The increasing use of Living off the Land techniques by cyber threat actors, as highlighted in the recent government advisory, presents a significant challenge for organizations, especially those in critical sectors like space. The correlation between the advisory’s findings and the observed behavior of sophisticated threat groups over the past year underscores the urgency for improved cybersecurity measures.

The cases of BlackTech, BianLian and Volt Typhoon demonstrate the diverse ways threat actors are leveraging LOTL techniques for malicious purposes, from cyber espionage to ransomware attacks. These groups’ ability to exploit network vulnerabilities and maintain persistence through compromised devices poses a serious threat to national security and the economy. As LOTL techniques continue to evolve, it is essential for organizations to remain vigilant and proactive in their cybersecurity efforts to protect against these sophisticated cyber threats.