The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[1] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment. Analysis determined there were no indications the threat actor further compromised the organization by moving laterally from the on-premises environment to the Azure environment.
CISA and MS-ISAC are releasing this Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) used by the threat actor and methods to protect against similar exploitation of both unnecessary and privileged accounts.
Download the PDF version of this report:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actor’s activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Overview
A state government organization was notified that documents containing host and user information, including metadata, were posted on a dark web brokerage site. After further investigation, the victim organization determined that the documents were accessed via the compromised account of a former employee. Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations.[1] CISA and MS-ISAC assessed that an unidentified threat actor likely accessed documents containing host and user information to post on the dark web for profit after gaining access through the account of a former employee.
The scope of this investigation included the victim organization’s on-premises environment, as well as their Azure environment, which hosts sensitive systems and data. Analysis determined the threat actor did not move laterally from the compromised on-premises network to the Azure environment and did not compromise sensitive systems.
Untitled Goose Tool
Incident responders collected Azure and Microsoft Defender for Endpoint (MDE) logs using CISA’s Untitled Goose Tool—a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. CISA developed the Untitled Goose Tool to export and review AAD sign-in and audit logs, M365 unified audit logs (UAL), Azure activity logs, and MDE data. By exporting cloud artifacts, Untitled Goose Tool supports incident response teams with environments that do not ingest logs into a security information and event management (SIEM) tool.
Threat Actor Activity
The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN [T1133] with the intent to blend in with legitimate traffic to evade detection.
Initial Access: Compromised Domain Accounts
USER1: The threat actor gained initial access through the compromised account of a former employee with administrative privileges (USER1) [T1078.002] to conduct reconnaissance and discovery activities. The victim organization confirmed that this account was not disabled immediately following the employee’s departure.
The threat actor likely obtained the USER1 account credentials in a separate data breach due to the credentials appearing in publicly available channels containing leaked account information [T1589.001].
USER1 had access to two virtualized servers including SharePoint and the workstation of the former employee. The workstation was virtualized from a physical workstation using the Veeam Physical to Virtual (P2V) function within the backup software.
USER2: The threat actor likely obtained the USER2 account credentials from the virtualized SharePoint server managed by USER1 [T1213.002]. The victim confirmed that the administrator credentials for USER2 were stored locally on this server [T1552.001].
Through connection from the VM, the threat actor authenticated to multiple services [T1021] via the USER1 account, as well as from an additional compromised global domain administrator account (USER2) [T1078.002].
The threat actor’s use of the USER2 account was impactful due to the access it granted to both the on-premises AD and Azure AD [T1021.007], thus enabling administrative privileges [T1078.004].
Following notification of the dark web posting, the victim organization immediately disabled the USER1 account and took the two virtualized servers associated with the former employee offline. The victim also changed the password for the USER2 account and removed administrator privileges. Neither of the administrative accounts had multifactor authentication (MFA) enabled.
LDAP Queries
Through connection from the VM, the threat actor conducted LDAP queries of the AD, likely using the open source tool AdFind.exe, based on the format of the output. CISA and MS-ISAC assess the threat actor executed the LDAP queries [T1087.002] to collect user, host [T1018], and trust relationship information [T1482]. It is also believed the LDAP queries generated the text files the threat actor posted for sale on the dark web brokerage site: ad_users.txt, ad_computers.txt, and trustdmp.txt.
Table 1 lists all queries that were conducted between 08:39:43-08:40:56 Coordinated Universal Time (UTC).
Table 1: LDAP Queries Conducted by the Threat Actor
Query
Description
LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)
Collects names and metadata of users in the domain.
LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)
Collects names and metadata of hosts in the domain.
LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local)
Collects Domain Administrators and Service Principals in the domain.
Service Authentication
Through the VM connection, the threat actor was observed authenticating to various services on the victim organization’s network from the USER1 and USER2 administrative accounts. In all instances, the threat actor authenticated to the Common Internet File Service (CIFS) on various endpoints [T1078.002],[T1021.002]—a protocol used for providing shared access to files and printers between machines on the network. This was likely used for file, folder, and directory discovery [T1083], and assessed to be executed in an automated manner.
USER1 authenticated to four services, presumably for the purpose of network and service discovery [T1046].
USER2 authenticated to twelve services. Note: This account had administrative privileges to both the on-premises network and Azure tenant.
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 2-9 for all referenced threat actor’s tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
The actor gained initial access through the compromised account of a former employee with administrative privileges (USER1). The employee’s account was not immediately disabled after their departure.
The actor authenticated to multiple services from a compromised Global Domain Administrator account (USER2). The actor also authenticated to the Common Internet File Service (CIFS) on various endpoints.
The actor used a compromised account (USER2) which was synced to both the on-premises AD and Azure AD, thus enabling administrative privileges to both the on-premises network and Azure tenant.
The actor likely obtained the USER2 account credentials from the virtualized SharePoint server managed by USER1.
MITIGATIONS
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST), which apply to all critical infrastructure organizations and network defenders. The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Secure and Monitor Administrator Accounts
The threat actor gained access to the network via compromised administrator accounts that did not have MFA enabled. The compromised USER2 Global Domain Administrator account could have enabled the threat actor to move laterally from the on-premises environment to the Azure tenant. In response to the incident, the victim organization removed administrator privileges for USER2. Additionally, the victim organization disabled unnecessary administrator accounts and enabled MFA for all administrator accounts. To prevent similar compromises, CISA and MS-ISAC recommend the following:
Review current administrator accounts to determine their necessity and only maintain administrator accounts that are essential for network management. This will reduce the attack surface and focus efforts on the security and monitoring of necessary accounts.
Restrict the use of multiple administrator accounts for one user.
Create separate administrator accounts for on-premises and Azure environments to segment access.
Implement the principle of least privilege to decrease threat actor’s ability to access key network resources. Enable just-in-time and just enough access for administrator accounts to elevate the minimum necessary privileges for a limited time to complete tasks.
Use phishing-resistant multifactor authentication (MFA) [CPG 2.H] (e.g., security tokens) for remote access and access to any sensitive data repositories. Implement phishing-resistant MFA for as many services as possible—particularly for webmail and VPNs—for accounts that access critical systems and privileged accounts that manage backups. MFA should also be used for remote logins [M1032]. For additional guidance on secure MFA configurations, visit CISA’s More than a Password webpage and read CISA’s Implementing Phishing-Resistant MFA fact sheet.
Reduce Attack Surface
Unnecessary accounts, software, and services in the network create additional vectors for a threat actor to compromise. CISA and MS-ISAC recommend the following:
Establish policy and procedure for the prompt removal of unnecessary accounts and groups from the enterprise, especially privileged accounts. Organizations should implement a robust and continuous user management process to ensure accounts of offboarded employees are removed and can no longer access the network.
Maintain a robust asset management policy through comprehensive documentation of assets, tracking current version information to maintain awareness of outdated software, and mapping assets to business and critical functions.
Determine the need and functionality of assets that require public internet exposure [CPG 1.A].
Follow a routine patching cycle for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation.
Restrict personal devices from connecting to the network. Personal devices are not subject to the same group policies and security measures as domain joined devices.
Evaluate Tenant Settings
By default, in Azure AD all users can register and manage all aspects of applications they create. Users can also determine and approve what organizational data and services the application can access. These default settings can enable a threat actor to access sensitive information and move laterally in the network. In addition, users who create an Azure AD automatically become the Global Administrator for that tenant. This could allow a threat actor to escalate privileges to execute malicious actions. CISA and MS-ISAC recommend the following:
Evaluate current user permissions in the Azure tenant to restrict potentially harmful permissions including:
Restrict users’ ability to register applications. By default, all users in Azure AD can register and manage the applications they create and approve the data and services the application can access. If this is exploited, a threat actor can access sensitive information and move laterally in the network.
Restrict non-administrators from creating tenants. Any user who creates an Azure AD automatically becomes the Global Administrator for that tenant. This creates an opportunity for a threat actor to escalate privileges to the highest privileged account.
Restrict access to the Azure AD portal to administrators only. Users without administrative privileges cannot change settings, however, they can view user info, group info, device details, and user privileges. This would allow a threat actor to gather valuable information for malicious activities.
Create a Forensically Ready Organization
Collect access- and security-focused logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and virtual private network) for use in both detection and incident response activities [CPG 2.T].
Enable complete coverage of tools, including Endpoint Detection and Response (EDR), across the environment for thorough analysis of anomalous activity and remediation of potential vulnerabilities.
Assess Security Configuration of Azure Environment
CISA created the Secure Cloud and Business Applications (SCuBA) assessment tool to help Federal Civilian Executive Branch (FCEB) agencies to verify that a M365 tenant configuration conforms to a minimal viable secure configuration baseline. Although the SCuBA assessment tool was developed for FCEB, other organizations can benefit from its output. CISA and MS-ISAC recommend the following:
Use tools that identify attack paths. This will enable defenders to identify common attack paths used by threat actors and shut them down before they are exploited.
Review the security recommendations list provided by Microsoft 365 Defender. Focus remediation on critical vulnerabilities on endpoints that are essential to mission execution and contain sensitive data.
Evaluate Conditional Access Policies
Conditional access policies require users who want to access a resource to complete an action. Conditional access policies also account for common signals, such as user or group memberships, IP location information, device, application, and risky sign-in behavior identified through integration with Azure AD Identity Protection.
Review current conditional access policies to determine if changes are necessary.
Reset All Passwords and Establish Secure Password Policies
In response to the incident, the victim organization reset passwords for all users.
Employ strong password management alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. Set a password policy to require complex passwords for all users (minimum of 16 characters) and enforce this new requirement as user passwords expire [CPG 2.A],[CPG 2.B],[CPG 2.C].
Store credentials in a secure manner, such as with a credential manager, vault, or other privileged account management solution [CPG 2.L].
CISA recommends that vendors incorporate secure by design principles and tactics into their practices, limiting the impact of threat actor techniques and strengthening the secure posture for their customers.
Prioritize secure by default configurations, such as eliminating default passwords and providing high-quality audit logs to customers with no additional configuration, at no extra charge. Secure by default configurations should be prioritized to eliminate the need for customer implementation of hardening guidance.
Implement multifactor authentication (MFA), ideally phishing-resistant MFA, as a default (rather than opt-in) feature for all products.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, CISA and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see table 2-9).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
CISA and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The information in this report is being provided “as is” for informational purposes only. CISA and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or MS-ISAC.
Department Strengthens Commitment to Advancing Equity in its Policies, Programs, and Operations
WASHINGTON – Today, the U.S. Department of Homeland Security (DHS) announced the release of the 2023 Update to the DHS Equity Action Plan, which builds on the progress made in the 2022 inaugural plan to further embed equity at the center of the Department’s mission. The 2023 Update highlights DHS’s accomplishments over the past three years and identifies nine focus areas to comprehensively advance equity across the Department’s policies, programs, and operations.
DHS selected the nine focus areas in the 2023 Update based on feedback from external stakeholders representing underserved communities. These nine areas include the following strategies and initiatives:
Advance equity through the planned updates to the FEMA Individual Assistance Program, which will create opportunities for underserved communities by increasing accessibility and eligibility for post-disaster support.
Reduce barriers to citizenship and naturalization through continued evaluation of programs, policies, and outreach opportunities.
Promote equitable use of AI technology across the Department through the development and application of new guidance as well as intra-agency coordination.
Counter Domestic Violent Extremism and targeted violence through a public health-informed approach.
Advance equity for persons who are Limited English Proficient (LEP) by strengthening language access programs.
Advance equity in DHS’s screening activities at airport checkpoints and ports of entry through updates to training and enhanced technologies.
Advance equity for the 574 federally recognized Tribal Nations and their citizens by ensuring appropriate Tribal consideration and representation in the Department’s work.
Advance equity for persons seeking humanitarian protection during immigration processing by strengthening programs available to assist them.
Advance equity through Community Disaster Resilience Zones.
The 2023 Update also notes the following accomplishments, among many others:
Exceeded all small business prime and socioeconomic goals as negotiated with the Small Business Administration in FY 2023. This equates to $9.94 billion awarded to small businesses, including $4.69 billion to small disadvantaged businesses. DHS is the largest spending agency to have achieved this goal.
Deployed TSA’s new software to over 1,000 Advanced Imaging Technology (AIT) screening systems at airports across the country: Updates to the software algorithm eliminate the need for security officers to determine a passenger’s gender prior to AIT screening, enhance accuracy, and significantly reduce false alarms and pat downs for all passengers. It is projected to reduce instances of enhanced screening for members of underserved communities.
Updated medical certification for disability exceptions and related policy guidance: Applicants for naturalization with a physical or developmental disability or mental impairment may request an exception to the English and civics testing requirements for naturalization. This form and policy update streamlines the process for applicants to claim and substantiate a disability by eliminating unnecessary and duplicative questions.
WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the U.S. Election Assistance Commission (EAC), and the United States Postal Inspection Service (USPIS) published Election Mail Handling Procedures to Protect Against Hazardous Materials. This resource helps officials understand safe mail handling procedures and provides guidance on responding to potential hazardous materials exposure.
Over the past two decades, U.S. government offices and employees have been the target of multiple incidents using letters containing hazardous materials, including suspicious letters mailed to election offices in California, Georgia, Nevada, Oregon, and Washington in 2023. Since mail is a key component of both standard office operations and mail balloting across the country, this guidance document provides information for election offices on how to identify and handle potentially suspicious mail and respond to potential hazardous materials exposure while handling suspicious mail. The guide also provides specific information on how to protect against the three hazardous powders of greatest concern, fentanyl, anthrax, and ricin, in addition to more routine mail hazards.
“CISA is proud to stand shoulder to shoulder with state and local election officials who face a complex threat environment,” said CISA Director Jen Easterly. “Today’s guidance on safe mail handling procedures will help election officials and others on the frontlines of our democracy take steps to protect themselves and their personnel from hazards sent through the mail. We will continue to work with our partners to ensure election officials have the information and resources they need to run a safe, secure and resilient election.”
“It is essential for the FBI to leverage force multipliers, through strong partnerships and informational campaigns, like this one, which focus on election mail handling procedures,” said Susan Ferensic, Assistant Director of the Weapons of Mass Destruction Directorate. “This guidance will further strengthen the ability of those on the frontlines to be better prepared to identify and handle suspicious mail. The FBI will continue to reinforce proactive partnerships in an effort to protect election workers.”
EAC Chairwoman Christy McCormick, Vice Chair Ben Hovland, Commissioner Donald Palmer, and Commissioner Thomas Hicks said in the following joint statement: “The safety of election workers is a top priority for the EAC, as it should be for all Americans. To ensure our elections run smoothly, election officials must be able to carry out essential tasks such as opening and receiving mail without risking their health. Due to the multiple incidents involving election offices being sent hazardous materials, we urge election workers to exercise caution when handling mail by following the guidance in this resource. We will continue to work with federal partners to support officials as they conduct fair, safe, and secure elections in 2024 and beyond.”
“The U.S. Postal Inspection Service is committed to ensuring the safe and secure delivery of Election Mail, the integrity of our elections and the protection of election offices and election officials from threatening and dangerous mail,” said Gary Barksdale, Chief Postal Inspector. “This guidance is part of our collaborative efforts with our federal partners to raise awareness with the election community of suspicious, threatening, and dangerous mail and steps that can be taken to prepare for, and respond to, these incidents should they arise. We encourage all election offices to implement the recommendations that are part of this guidance.”
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Continuinga 20+ Year Partnership, More Than 385 DHS Personnel on the Ground Working to Protect Estimated 65,000 Fans Attending the Big Game at Allegiant Stadium
NFL Announces it Will Join Secure Our World Cybersecurity Awareness Effort During Super Bowl and Throughout Upcoming Season
DHS Working with Lyft to Equip Drivers in Las Vegas with the Tools to Detect and Report Human Trafficking
WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas traveled this week to Las Vegas, Nevada to review Department of Homeland Security (DHS) operations for Super Bowl LVIII with state and local law enforcement and the National Football League (NFL). For the past 18 months, DHS employees worked with local officials to assess potential risks and developed plans to address them. The Department, as the lead federal agency providing Super Bowl security, has not identified specific, credible threats related to this Super Bowl, but DHS continues to bring federal resources to bear.
Over 385 DHS personnel are deployed in Las Vegas to provide extensive air security resources; venue, cyber, and infrastructure security assessments; chemical, biological, radiological, nuclear, and explosives detection technologies; intelligence analysis and threat assessments; intellectual property enforcement; and real-time situational awareness reporting for our partners.
U.S. Secret Service Special Agent in Charge Karon Ransom is serving as the lead Federal Coordinator for Super Bowl LVIII with support from various DHS component agencies and offices and other federal partners. Federal Security Director Karen Burke from the Transportation Security Administration (TSA) is the Deputy Federal Coordinator, and Cybersecurity and Infrastructure Security Agency (CISA) Supervisory Protective Security Advisor Gonzalo Cordova is the Alternate Deputy Federal Coordinator. DHS leads federal efforts to ensure the safety and security of employees, players, and fans at the Super Bowl for the last two decades.
“The Department of Homeland Security, alongside our federal, state, and local partners, is working to ensure that the 65,000 people attending Super Bowl LVIII and the millions of people gathering together and enjoying the game across the country are all safe,” said Secretary of Homeland Security Alejandro N. Mayorkas. “There are no known, credible, specific threats to the Super Bowl or to Las Vegas at this time – but we are vigilant, and we are prepared.”
As part of these efforts, the NFL also announced today they are joining the Secure Our World cybersecurity awareness campaign. Led by CISA, Secure Our World encourages individuals, families, and small to medium-sized businesses to take simple steps such as using strong passwords, enabling multi-factor authentication, identifying and reporting phishing, and updating software to stay safe and secure online. The cyber safety tips will be seen at the NFL Experience during Super Bowl Week and during the game on Sunday. The league is also committing to working with their teams to advance cybersecurity awareness throughout the 2024-2025 season.
In a historic partnership, the DHS Blue Campaign, part of the DHS Center for Combating Human Trafficking, and Lyft announced a new effort today to educate drivers in the Las Vegas area during Super Bowl week to ensure they have the tools and campaign resources to recognize the signs of human trafficking. Crimes like human trafficking can be more prevalent during events like the Super Bowl due to the mass volume of people and anonymity that large gatherings provide.
“Securing the Super Bowl requires the combined expertise and resources of local, state, and federal law enforcement and public safety agencies,” said U.S. Secret Service Special Agent in Charge and Federal Coordinator Karon Ransom. “Together we are working to ensure a safe event for fans, teams, event staff, and the public.”
Personnel from 12 DHS component agencies and offices are in Las Vegas conducting the following activities to protect fans and attendees:
Identifying, Assessing, and Mitigating Potential Risks: DHS constantly evaluates a range of potential risks, from acts of terrorism to cyber security vulnerabilities, and takes steps to mitigate them.
CISA conducted physical and cybersecurity vulnerability assessments, planning exercises, and bomb safety workshops with state and local partners ahead of the event.
The Office of Intelligence &Analysis is working with the Federal Bureau of Investigation to assess the threat landscape leading up to the Super Bowl; this includes sharing timely and actionable information and intelligence with their state and local partners.
The Countering Weapons of Mass Destruction Office (CWMD) is providing surge support from its Mobile Detection Deployment Program and its BioWatch program in coordination with the City of Las Vegas. The U.S. Coast Guard’s (USCG) Pacific Strike Team is also supporting the Mobile Detection Deployment Program to bolster the Department’s ability to detect and interdict chemical, biological, radiological, and nuclear threats.
The TSA will have a Supervisory Federal Air Marshal staffing the Fusion Watch Center, the primary command center for the Las Vegas Metropolitan Police Department, during the event.
U.S. Customs and Border Protection’s (CBP) Air and Marine Operations (AMO) will support Super Bowl security operations enforcing temporary flight restrictions around Allegiant Stadium during Super Bowl LVIII. AMO will provide “eye in the sky” intelligence, surveillance and reconnaissance flight operations in and around the various NFL venues to provide situational awareness and enhance overall security operations.
The NFL received a SAFETY Act Designation from DHS, allowing the Allegiant Stadium to invest in the most current security technologies, procedures, services, controls and systems contributing to structural and physical security during the Super Bowl. These measures grant providers of those technologies’ liability protections in the event of a terrorist attack.
For the first time at a Super Bowl, the Science & Technology Directorate (S&T) will deploy easy-to assemble, expandable security barriers that can be installed quickly to provide critical asset protection and intrusion prevention to fill coverage gaps in security at the stadium.
DHS is also continuing our partnership with the NFL on the “If You See Something, Say Something®” public awareness campaign during the Super Bowl. DHS is working with the Southern Nevada Counterterrorism Center and Las Vegas Police Department using social media and digital displays within the stadium and outreach throughout the Las Vegas area to raise public awareness of the importance of reporting terrorism-related suspicious activity. In partnership with TSA, the campaign also launched its general awareness video at Harry Reid International Airport (LAS) for residents and visitors traveling to and from Las Vegas.
On Super Bowl Sunday, the Southern Nevada Counter Terrorism Center will partner with the NFL and DHS to host a tip line where the public and game attendees can report suspicious activity. For attendees within Allegiant Stadium, they may call (702) 828-7777 or text (725) 780-2345. Outside of the stadium, the public may call (702) 828-7777 or local authorities.
Actively screening and monitoring people, goods, and vehicles for a range of threats: DHS is leveraging its significant technology assets and dedicated personnel to protect the Super Bowl stadium, Super Bowl week events, and city of Las Vegas against potential threats.
TSA is utilizing its National Deployment Force to increase the number of transportation security officers who will be working at LAS to screen the increased number of departing passengers following the Super Bowl. TSA explosive detection canines and their handlers will be working during Super Bowl week events at key venues including the Mandalay Bay South Convention Center, Allegiant Stadium, and LAS. TSA will also have four Visible Intermodal Prevention and Response (VIPR) teams on the ground to conduct increased counter-terrorism patrols.
The USCG is providing five Canine Explosive Detection teams to ensure the safety and security of the event.
CBP is providing assets including aviation security, video surveillance capabilities, and non-intrusive inspection of vehicles and cargo. CBP officers are also scanning the cargo entering the stadium for contraband such as narcotics, weapons, and explosives.
Protecting fans from counterfeit goods and services: The Department is surging resources to identify and target the vendors of counterfeit merchandise and tickets.
CBP will be on the frontline in detecting and intercepting these illicit goods before they enter the United States. As in many Super Bowls in the past, criminal organizations will escalate their efforts to make a quick profit defrauding consumers by smuggling counterfeit NFL merchandise. The most commonly seized products are counterfeit NFL jerseys, championship rings, T-shirts, caps and all sorts of souvenirs and memorabilia. Counterfeit merchandise has economic impacts, legal implications, and health and safety risks.
Homeland Security Investigations (HSI) will deploy special agents to Las Vegas to support CBP, local law enforcement agencies, and other private partners to identify and open investigations against any flea markets, retail outlets, street vendors and online marketplaces selling counterfeit goods during the week leading up to Super Bowl. This work ensures the secure transaction of the over $16.5 billion consumers are expected to spend nationwide, supporting the sale of official – and safe – memorabilia.
Leading emergency response efforts, if they should occur: DHS is taking steps to mitigate risk, align resources, and coordinate communication between security personnel at all levels of government.
The Federal Emergency Management Agency (FEMA) supports state and local governments by providing communication tools to help keep fans safe by ensuring state and local responders have the ability to communicate with each other and the public.
An HSI Special Response Team is standing by to provide interior stadium tactical support if needed.
On Super Bowl Sunday, CISA will also deploy Advisors and Emergency Communications Coordinators to support local law enforcement, emergency responders, and private partners in Las Vegas.
Preventing human trafficking: In addition to the groundbreaking partnership with Lyft, the Department is partnering with law enforcement and other industry partners to educate the public on the indicators of human trafficking and how to appropriately respond to possible cases.
DHS Blue Campaign is also disseminating digital and out-of-home advertising in the Las Vegas area to raise awareness of human trafficking among visitors, local residents, and those working in industries, such as hotels, hospitality, and transportation, where front line employees are more likely to be in a position to identify and report human trafficking.
The Campaign’s Blue Lightning Initiative is also partnering with Harry Reid International Airport to raise awareness and train staff to recognize and report human trafficking.
For the past 20 years, DHS has provided security assistance to the NFL Super Bowl because of the event’s significant national and/or international importance, which requires extensive federal interagency support to resolve any resource gaps in security planning. DHS assessed the Super Bowl this year as a Special Event Assessment Rating (SEAR) Level 1 event. The extensive security measures implemented for this Super Bowl build on success protecting large-scale events in the last year, where DHS helped secure 18 Special Event Assessment Rating (SEAR) events – including the first ever designations for the Chicago NASCAR Street Race, the NFL Draft, and the Boston Marathon – and three National Special Security Events (NSSE).
Advisory provides details on the PRC’s efforts to conceal its hacking activity, discovery and mitigation guidance to potential victims, and encourage reporting of any suspected incident
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), along with key U.S. and international government agencies published a Joint Cybersecurity Advisory today on malicious activity by a People’s Republic of China (PRC) state-sponsored cyber actor, known as Volt Typhoon, to compromise critical infrastructure and associated actions that should be urgently undertaken by all organizations.
CISA and its U.S. Government partners have confirmed that this group of PRC state-sponsored cyber actors has compromised entities across multiple critical infrastructure sectors in cyberspace, including communications, energy, transportation, and water and wastewater, in the United States and its territories. The data and information CISA and its U.S. Government partners have gathered strongly suggest the PRC is positioning itself to launch destructive cyber-attacks that would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict with the United States.
In addition to the joint Cybersecurity Advisory, CISA and our partners also released complementary Joint Guidance to help all organizations effectively hunt for and detect the sophisticated types of techniques used by actors such as Volt Typhoon, known as “living off the land.” In recent years, the U.S. has seen a strategic shift in PRC cyber threat activity from a focus on espionage to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure. By using “living off the land” techniques, PRC cyber actors blend in with normal system and network activities, avoid identification by network defenses, and limit the amount of activity that is captured in common logging configurations.
Detecting and mitigating “living off the land” malicious cyber activity requires a multi-faceted and comprehensive approach to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. This advisory and complementary guidance provide organizations with details on how Volt Typhoon cyber threat actors use “living off the land” techniques to abuse legitimate, native tools and processes on systems, and identifies specific details on the actors’ tactics, techniques, and procedures (TTPs) using certain adversarial behavior patterns.
“The PRC cyber threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Volt Typhoon intrusions into critical infrastructure across multiple sectors. And what we’ve found to date is likely the tip of the iceberg,” said CISA Director Jen Easterly. “Today’s joint advisory and guide are the result of effective, persistent operational collaboration with our industry, federal, and international partners and reflect our continued commitment to providing timely, actionable guidance to all of our stakeholders. We are at a critical juncture for our national security. We strongly encourage all critical infrastructure organizations to review and implement the actions in these advisories and report any suspected Volt Typhoon or living off the land activity to CISA or FBI.”
Today’s joint advisory is based primarily on technical insights gleaned from CISA and industry response activities at victim organizations within the United States, primarily in communications, energy, transportation, and water and wastewater sectors. Our complementary joint guide is derived from those insights as well as previously published products, red team assessments, and industry partners.
The new advisory and guide have been jointly issued by CISA, National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), Transportation Security Administration (TSA), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE), United Kingdom National Cyber Security Centre (NCSC-UK), and New Zealand National Cyber Security Centre (NCSC-NZ).
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
Lyft outreach will start with drivers in the Las Vegas area during Super Bowl 2024 as this crime can be more prevalent and escape unnoticed during large events
Tutorial program is the beginning of first-of-its kind partnership with DHS to combat human trafficking across the United States
WASHINGTON – Today, the Department of Homeland Security (DHS) Blue Campaign and Lyft, Inc. announced a new tutorial program that will help rideshare drivers in the United States and Canada detect and prevent human trafficking. The tutorial is one part of a first-of-its kind partnership between Lyft. and DHS Blue Campaign. Lyft. will feature the Blue Campaign’s human trafficking resources in Lyft’s driver-only in-app Learning Center. This partnership will help raise awareness of this heinous crime, teach drivers the signs that indicate someone may be a victim, and provide them with resources to help, including guidance for how to contact the right authorities.
“A crime as globally pervasive as human trafficking requires a whole-of-society effort to shine a light on these heinous acts; identify, protect, and support victims; and bring perpetrators to justice,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Key private sector partnerships and targeted trainings are critical to the success of our counter-human trafficking mission. The Department of Homeland Security’s new partnership with Lyft – which will teach drivers who interact with millions of riders every year to identify and help disrupt human trafficking – will help save lives and avert tragedies.”
“Human trafficking — the illegal exploitation of a person — is a heinous crime. We have zero tolerance for it,” said Lyft CEO David Risher. “We’re proud to partner with DHS’s Blue Campaign to raise awareness on the issue, so the one million people who drive on the Lyft platform can recognize and report it when they see it.”
Lyft joins more than 100 other Blue Campaign partners across the transportation, lodging, and private sector industries working to combat this crime. Official partners can elect to receive in-person education from Blue Campaign subject matter experts as well as co-branded educational and awareness materials tailored to the mission of their organization.
As the first major activation of the new partnership, Lyft, Inc. will send a notification to drivers in the Las Vegas area during Super Bowl 2024 to advise drivers that they have the tools available to them to recognize the signs of this crime. Crimes like human trafficking can be more prevalent during events like the Super Bowl due to the mass volume of people and anonymity that large gatherings provide.
Blue Campaign is a national public awareness campaign run by the DHS Center for Countering Human Trafficking (CCHT). It is designed to educate the public, law enforcement, and other industry partners to recognize the indicators of human trafficking, and how to appropriately respond to possible cases. The CCHT coordinates efforts of 16 DHS offices and Components to combat human trafficking through law enforcement operations, victim protection and support, intelligence and analysis, and public education and training programs. Learn more about the CCHT’s accomplishments at dhs.gov/dhs-center-countering-human-trafficking.
Anyone who suspects human trafficking is encouraged to report it to law enforcement – tips can be submitted anonymously online or by calling 866-347-2423. Individuals can also contact the National Human Trafficking Hotline at 888-373-7888 or humantraffickinghotline.org.
WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) hosted a CISA Live event on LinkedIn, titled Boosting Water Sector Cybersecurity. The event featured CISA Deputy Director Nitin Natarajan and EPA Director of Water Infrastructure and Cyber Resilience Division David Travers, highlighting the critical importance of water sector cybersecurity.
The livestreamed event shared resources specifically developed for the Water Sector and featured the Water and Wastewater Sector Cybersecurity Toolkit, which was jointly released by CISA and EPA on January 30, 2024. This toolkit marks a crucial step in bolstering the sector’s resilience against evolving cybersecurity challenges by providing practical safeguards and solutions.
“This toolkit is a testament to the power of collaboration in enhancing our national cyber defense,” said CISA Deputy Director Nitin Natarajan. “Our work in the water sector is coordinated with the Environmental Protection Agency (EPA), federal partners, state and local authorities, and the members of the water sector coordinating council including owners/operators and industry organizations, among others, to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future. We look forward to seeing a measurable reduction in risks to the water sector through the resources provided in this toolkit.”
The Water Sector is the foundation for the nation’s health, safety, economy, and security. Yet faces significant cyber and physical risks amidst resource constraints. The toolkit was developed with the water sector and equips sector members with actionable insights to elevate their cybersecurity posture in one place.
“Cyber threats present a risk to the essential drinking water and wastewater services that people across the country rely on every day. EPA, CISA and other federal agencies are working together to support cyber security best practices,” said EPA Assistant Administrator for Water Radhika Fox. “This toolkit provides easy access to resources for water utilities to enhance cyber security measures.
Key features of the Water Sector Cybersecurity Toolkit include a newly published Cybersecurity Incident Response Guide and essential services such as free cybersecurity assessment services, vulnerability scanning assessment services, technical assistance support, cybersecurity performance goals alignment, and cyber hygiene tools. This arsenal of resources emphasizes the toolkit’s value in enhancing cybersecurity readiness across the Water Sector. CISA and EPA will update the toolkit periodically to include new resources and respond to the evolving needs of the sector.
For more information on the Water Sector Cybersecurity Toolkit, please visit cisa.gov/water.
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus):
U.S. Department of Energy (DOE)
U.S. Environmental Protection Agency (EPA)
U.S. Transportation Security Administration (TSA)
Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)
Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment (CSE)
United Kingdom National Cyber Security Centre (NCSC-UK)
New Zealand National Cyber Security Centre (NCSC-NZ)
The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state-sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.
As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.
The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in joint guide Identifying and Mitigating Living Off the Land Techniques. These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.
If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency (see Contact Information section).
In May 2023, the authoring agencies—working with industry partners—disclosed information about activity attributed to Volt Typhoon (see joint advisory People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection). Since then, CISA, NSA, and FBI have determined that this activity is part of a broader campaign in which Volt Typhoon actors have successfully infiltrated the networks of critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam.
The U.S. authoring agencies have primarily observed compromises linked to Volt Typhoon in Communications, Energy, Transportation Systems, and Water and Wastewater Systems sector organizations’ IT networks. Some victims are smaller organizations with limited cybersecurity capabilities that provide critical services to larger organizations or key geographic locations.
Volt Typhoon actors tailor their TTPs to the victim environment; however, the U.S. authoring agencies have observed the actors typically following the same pattern of behavior across identified intrusions. Their choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable the disruption of OT functions across multiple critical infrastructure sectors (see Figure 1).
Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network architecture and operational protocols. This reconnaissance includes identifying network topologies, security measures, typical user behaviors, and key network and IT staff. The intelligence gathered by Volt Typhoon actors is likely leveraged to enhance their operational security. For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities.
Volt Typhoon typically gains initial access to the IT network by exploiting known or zero-day vulnerabilities in public-facing network appliances (e.g., routers, virtual private networks [VPNs], and firewalls) and then connects to the victim’s network via VPN for follow-on activities.
Volt Typhoon aims to obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities in the operating system or network services. In some cases, Volt Typhoon has obtained credentials insecurely stored on a public-facing network appliance.
Volt Typhoon uses valid administrator credentials to move laterally to the domain controller (DC) and other devices via remote access services such as Remote Desktop Protocol (RDP).
Volt Typhoon conducts discovery in the victim’s network, leveraging LOTL binaries for stealth. A key tactic includes using PowerShell to perform targeted queries on Windows event logs, focusing on specific users and periods. These queries facilitate the discreet extraction of security event logs into .dat files, allowing Volt Typhoon actors to gather critical information while minimizing detection. This strategy, blending in-depth pre-compromise reconnaissance with meticulous post-exploitation intelligence collection, underscores their sophisticated and strategic approach to cyber operations.
Volt Typhoon achieves full domain compromise by extracting the Active Directory database (NTDS.dit) from the DC. Volt Typhoon frequently employs the Volume Shadow Copy Service (VSS) using command-line utilities such as vssadmin to access NTDS.dit. The NTDS.dit file is a centralized repository that contains critical Active Directory data, including user accounts, passwords (in hashed form), and other sensitive data, which can be leveraged for further exploitation. This method entails the creation of a shadow copy—a point-in-time snapshot—of the volume hosting the NTDS.dit file. By leveraging this snapshot, Volt Typhoon actors effectively bypass the file locking mechanisms inherent in a live Windows environment, which typically prevent direct access to the NTDS.dit file while the domain controller is operational.
Volt Typhoon likely uses offline password cracking techniques to decipher these hashes. This process involves extracting the hashes from the NTDS.dit file and then applying various password cracking methods, such as brute force attacks, dictionary attacks, or more sophisticated techniques like rainbow tables to uncover the plaintext passwords. The successful decryption of these passwords allows Volt Typhoon actors to obtain elevated access and further infiltrate and manipulate the network.
Volt Typhoon uses elevated credentials for strategic network infiltration and additional discovery, often focusing on gaining capabilities to access OT assets. Volt Typhoon actors have been observed testing access to domain-joint OT assets using default OT vendor credentials, and in certain instances, they have possessed the capability to access OT systems whose credentials were compromised via NTDS.dit theft. This access enables potential disruptions, such as manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures (in some cases, Volt Typhoon actors had the capability to access camera surveillance systems at critical infrastructure facilities). In one confirmed compromise, Volt Typhoon actors moved laterally to a control system and were positioned to move to a second control system.
After successfully gaining access to legitimate accounts, Volt Typhoon actors exhibit minimal activity within the compromised environment (except discovery as noted above), suggesting their objective is to maintain persistence rather than immediate exploitation. This assessment is supported by observed patterns where Volt Typhoon methodically re-targets the same organizations over extended periods, often spanning several years, to continuously validate and potentially enhance their unauthorized accesses. Evidence of their meticulous approach is seen in instances where they repeatedly exfiltrate domain credentials, ensuring access to current and valid accounts. For example, in one compromise, Volt Typhoon likely extracted NTDS.dit from three domain controllers in a four-year period. In another compromise, Volt Typhoon actors extracted NTDS.dit two times from a victim in a nine-month period.
Industry reporting—identifying that Volt Typhoon actors are silent on the network following credential dumping and perform discovery to learn about the environment, but do not exfiltrate data—is consistent with the U.S. authoring agencies’ observations. This indicates their aim is to achieve and maintain persistence on the network. In one confirmed compromise, an industry partner observed Volt Typhoon actors dumping credentials at regular intervals.
In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts. Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment.
See the below sections for Volt Typhoon TTPs observed by the U.S. authoring agencies from multiple confirmed Volt Typhoon compromises.
Observed TTPs
Reconnaissance
Volt Typhoon actors conduct extensive pre-compromise reconnaissance [TA0043] to learn about the target organization [T1591], its network [T1590], and its staff [T1589]. This includes web searches [T1593]—including victim-owned sites [T1594]—for victim host [T1592], identity, and network information, especially for information on key network and IT administrators. According to industry reporting, Volt Typhoon actors use FOFA[1], Shodan, and Censys for querying or searching for exposed infrastructure. In some instances, the U.S. authoring agencies have observed Volt Typhoon actors targeting the personal emails of key network and IT staff [T1589.002] post compromise.
To obtain initial access [TA0001], Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco [T1190]. They often use publicly available exploit code for known vulnerabilities [T1588.005] but are also adept at discovering and exploiting zero-day vulnerabilities [T1587.004].
In one confirmed compromise, Volt Typhoon actors likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. There is evidence of a buffer overflow attack identified within the Secure Sockets Layer (SSL)-VPN crash logs.
Once initial access is achieved, Volt Typhoon actors typically shift to establishing persistent access [TA0003]. They often use VPN sessions to securely connect to victim environments [T1133], enabling discreet follow-on intrusion activities. This tactic not only provides a stable foothold in the network but also allows them to blend in with regular traffic, significantly reducing their chances of detection.
Execution
Volt Typhoon actors rarely use malware for post-compromise execution. Instead, once Volt Typhoon actors gain access to target environments, they use hands-on-keyboard activity via the command-line [T1059] and other native tools and processes on systems [T1218] (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks. According to industry reporting, some “commands appear to be exploratory or experimental, as the operators [i.e., malicious actors] adjust and repeat them multiple times.”[2]
For more details on LOTL activity, see the Credential Access and Discovery sections and Appendix A: Volt Typhoon LOTL Activity.
Similar to LOTL, Volt Typhoon actors also use legitimate but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded [T1105] an outdated version of comsvcs.dll on the DC in a non-standard folder. comsvcs.dll is a legitimate Microsoft Dynamic Link Library (DLL) file normally found in the System32 folder. The actors used this DLL with MiniDump and the process ID of the Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory [T1003.001] and obtain credentials (LSASS process memory space contains hashes for the current user’s operating system (OS) credentials).
The actors also use legitimate non-native network admin and forensic tools. For example, Volt Typhoon actors have been observed using Magnet RAM Capture (MRC) version 1.20 on domain controllers. MRC is a free imaging tool that captures the physical memory of a computer, and Volt Typhoon actors likely used it to analyze in-memory data for sensitive information (such as credentials) and in-transit data not typically accessible on disk. Volt Typhoon actors have also been observed implanting Fast Reverse Proxy (FRP) for command and control.[3] (See the Command and Control section).
Persistence
Volt Typhoon primarily relies on valid credentials for persistence [T1078].
Defense Evasion
Volt Typhoon has strong operational security. Their actors primarily use LOTL for defense evasion [TA0005], which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities. For more information, see joint guide Identifying and Mitigating Living off the Land Techniques.
Volt Typhoon actors also obfuscate their malware. In one confirmed compromise, Volt Typhoon obfuscated FRP client files (BrightmetricAgent.exe and SMSvcService.exe) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX) [T1027.002]. FRP client applications support encryption, compression, and easy token authentication and work across multiple protocols—including transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), and hypertext transfer protocol secure (HTTPS). The FRP client applications use the Kuai connection protocol (KCP) for error-checked and anonymous data stream delivery over UDP, with packet-level encryption support. See Appendix C and CISA Malware Analysis Report (MAR)-10448362-1.v1 for more information.
In addition to LOTL and obfuscation techniques, Volt Typhoon actors have been observed selectively clearing Windows Event Logs [T1070.001], system logs, and other technical artifacts to remove evidence [T1070.009] of their intrusion activity and masquerading file names [T1036.005].
Credential Access
Volt Typhoon actors first obtain credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities [T1068] in the operating system or network services. In some cases, they have obtained credentials insecurely stored on the appliance [T1552]. In one instance, where Volt Typhoon likely exploited CVE-2022-42475 in an unpatched Fortinet device, Volt Typhoon actors compromised a domain admin account stored inappropriately on the device.
Volt Typhoon also consistently obtains valid credentials by extracting the Active Directory database file (NTDS.dit)—in some cases multiple times from the same victim over long periods [T1003.003]. NTDS.dit contains usernames, hashed passwords, and group memberships for all domain accounts, essentially allowing for full domain compromise if the hashes can be cracked offline.
To obtain NTDS.dit, the U.S. authoring agencies have observed Volt Typhoon:
Move laterally [TA0008] to the domain controller via an interactive RDP session using a compromised account with domain administrator privileges [T1021.001];
Execute the Windows-native vssadmin [T1006] command to create a volume shadow copy;
Use Windows Management Instrumentation Console (WMIC) commands [T1047] to execute ntdsutil (a LOTL utility) to copy NTDS.dit and SYSTEM registry hive from the volume shadow copy; and
Exfiltrate [TA0010] NTDS.dit and SYSTEM registry hive to crack passwords offline) [T1110.002]. (For more details, including specific commands used, see Appendix A: Volt Typhoon LOTL Activity.) Note: A volume shadow copy contains a copy of all the files and folders that exist on the specified volume. Each volume shadow copy created on a DC includes its NTDS.dit and the SYSTEM registry hive, which provides keys to decrypt the NTDS.dit file.
Volt Typhoon actors have also been observed interacting with a PuTTY application by enumerating existing stored sessions [T1012]. Given this interaction and the exposure of cleartext-stored proxy passwords used in remote administration, Volt Typhoon actors potentially had access to PuTTY profiles that allow access to critical systems (see the Lateral Movement section).
According to industry reporting, Volt Typhoon actors attempted to dump credentials through LSASS (see Appendix B for commands used).[2]
The U.S. authoring agencies have observed Volt Typhoon actors leveraging Mimikatz to harvest credentials, and industry partners have observed Volt Typhoon leveraging Impacket.[2]
Mimikatz is a credential dumping tool and Volt Typhoon actors use it to obtain credentials. In one confirmed compromise, the Volt Typhoon used RDP to connect to a server and run Mimikatz after leveraging a compromised administrator account to deploy it.
Impacket is an open source Python toolkit for programmatically constructing and manipulating network protocols. It contains tools for Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks—as well as remote service execution.
Discovery
Volt Typhoon actors have been observed using commercial tools, LOTL utilities, and appliances already present on the system for system information [T1082], network service [T1046], group [T1069] and user [T1033] discovery.
Volt Typhoon uses at least the following LOTL tools and commands for system information, network service, group, and user discovery techniques:
cmd
certutil
dnscmd
ldifde
makecab
net user/group/use
netsh
nltest
netstat
ntdsutil
ping
PowerShell
quser
reg query/reg save
systeminfo
tasklist
wevtutil
whoami
wmic
xcopy
Some observed specific examples of discovery include:
Specifically, in one incident, analysis of the PowerShell console history of a domain controller indicated that security event logs were directed to a file named user.dat, as evidenced by the executed command Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File 'C:userspublicdocumentsuser.dat'. This indicates the group’s specific interest in capturing successful logon events (event ID 4624) to analyze user authentication patterns within the network. Additionally, file system analysis, specifically of the Master File Table (MFT), uncovered evidence of a separate file, systeminfo.dat, which was created in C:UsersPublicDocuments but subsequently deleted [T1070.004]. The presence of these activities suggests a methodical approach by Volt Typhoon actors in collecting and then possibly removing traces of sensitive log information from the compromised system.
Executing tasklist /v to gather a detailed process listing [T1057], followed by executing taskkill /f /im rdpservice.exe (the function of this executable is not known).
Executing net user and quser for user account information [T1087.001].
Creating and accessing a file named rult3uil.log on a domain controller in C:WindowsSystem32. The rult3uil.log file contained user activities on a compromised system, showcasing a combination of window title information [T1010] and focus shifts, keypresses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps.
Employing ping with various IP addresses to check network connectivity [T1016.001] and net start to list running services [T1007].
See Appendix A for additional LOTL examples.
In one confirmed compromise, Volt Typhoon actors attempted to use Advanced IP Scanner, which was on the network for admin use, to scan the network.
Volt Typhoon actors have been observed strategically targeting network administrator web browser data—focusing on both browsing history and stored credentials [T1555.003]—to facilitate targeting of personal email addresses (see the Reconnaissance section) for further discovery and possible network modifications that may impact the threat actor’s persistence within victim networks.
In one confirmed compromise:
Volt Typhoon actors obtained the history file from the User Data directory of a network administrator user’s Chrome browser. To obtain the history file, Volt Typhoon actors first executed an RDP session to the user’s workstation where they initially attempted, and failed, to obtain the C$ File Name: users{redacted}appdatalocalGoogleChromeUserDatadefaultHistory file, as evidenced by the accompanying 1016 (reopen failed) SMB error listed in the application event log. The threat actors then disconnected the RDP session to the workstation and accessed the file C:Users{redacted}DownloadsHistory.zip. This file presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration [T1074]. Shortly after accessing the history.zip file, the actors terminated RDP sessions.
About four months later, Volt Typhoon actors accessed the same user’s Chrome data C$ File Name: Users{redacted}AppDataLocalGoogleChromeUser DataLocal State and $ File Name: Users{redacted}AppDataLocalGoogleChromeUser DataDefaultLogin Data via SMB. The Local State file contains the Advanced Encryption Standard (AES) encryption key [T1552.004] used to encrypt the passwords stored in the Chrome browser, which would enable the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser.
In another confirmed compromise, Volt Typhoon actors accessed directories containing Chrome and Edge user data on multiple systems. Directory interaction was observed over the network to paths such as C:Users{redacted}AppDataLocalGoogleChromeUser Data and C:Users{redacted}AppDataLocalMicrosoftEdgeUser Data. They also enumerated several directories, including directories containing vulnerability testing and cyber related content and facilities data, such as construction drawings [T1083].
Lateral Movement
For lateral movement, Volt Typhoon actors have been observed predominantly employing RDP with compromised valid administrator credentials. Note: With a full on-premises Microsoft Active Directory identity compromise (see the Credential Access section), the group may be capable of using other methods such as Pass the Hash or Pass the Ticket for lateral movement [T1550].
In one confirmed compromise of a Water and Wastewater Systems Sector entity, after obtaining initial access, Volt Typhoon actors connected to the network via a VPN with administrator credentials they obtained and opened an RDP session with the same credentials to move laterally. Over a nine-month period, they moved laterally to a file server, a domain controller, an Oracle Management Server (OMS), and a VMware vCenter server. The actors obtained domain credentials from the domain controller and performed discovery, collection, and exfiltration on the file server (see the Discovery and Collection and Exfiltration sections).
Volt Typhoon’s movement to the vCenter server was likely strategic for pre-positioning to OT assets. The vCenter server was adjacent to OT assets, and Volt Typhoon actors were observed interacting with the PuTTY application on the server by enumerating existing stored sessions. With this information, Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, OT systems, and network security devices. This would enable them to access these critical systems [T1563]. See Figure 2.
Additionally, Volt Typhoon actors have been observed using PSExec to execute remote processes, including the automated acceptance of the end-user license agreement (EULA) through an administrative account, signified by the accepteula command flag.
Volt Typhoon actors may have attempted to move laterally to a cloud environment in one victim’s network but direct attribution to the Volt Typhoon group was inconclusive. During the period of the their known network presence, there were anomalous login attempts to an Azure tenant [T1021.007] potentially using credentials [T1078.004] previously compromised from theft of NTDS.dit. These attempts, coupled with misconfigured virtual machines with open RDP ports, suggested a potential for cloud-based lateral movement. However, subsequent investigations, including password changes and multifactor authentication (MFA) implementations, revealed authentication failures from non-associated IP addresses, with no definitive link to Volt Typhoon.
Collection and Exfiltration
The U.S. authoring agencies assess Volt Typhoon primarily collects information that would facilitate follow-on actions with physical impacts. For example, in one confirmed compromise, they collected [TA0009] sensitive information obtained from a file server in multiple zipped files [T1560] and likely exfiltrated [TA0010] the files via Server Message Block (SMB) [T1048] (see Figure 3). Collected information included diagrams and documentation related to OT equipment, including supervisory control and data acquisition (SCADA) systems, relays, and switchgear. This data is crucial for understanding and potentially impacting critical infrastructure systems, indicating a focus on gathering intelligence that could be leveraged in actions targeting physical assets and systems.
In another compromise, Volt Typhoon actors leveraged WMIC to create and use temporary directories (C:UsersPublicpro, C:WindowsTemptmp, C:WindowsTemptmpActive Directory and C:WindowsTemptmpregistry) to stage the extracted ntds.dit and SYSTEM registry hives from ntdsutil execution volume shadow copies (see the Credential Access section) obtained from two DCs. They then compressed and archived the extracted ntds.dit and accompanying registry files by executing ronf.exe, which was likely a renamed version of the archive utility rar.exe) [T1560.001].
They have also been observed setting up FRP clients [T1090] on a victim’s corporate infrastructure to establish covert communications channels [T1573] for command and control. In one instance, Volt Typhoon actors implanted the FRP client with filename SMSvcService.exe on a Shortel Enterprise Contact Center (ECC) server and a second FRP client with filename Brightmetricagent.exe on another server. These clients, when executed via PowerShell [T1059.001], open reverse proxies between the compromised system and Volt Typhoon C2 servers. Brightmetricagent.exe has additional capabilities. The FRP client can locate servers behind a network firewall or obscured through Network Address Translation (NAT) [T1016]. It also contains multiplexer libraries that can bi-directionally stream data over NAT networks and contains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management Instrumentation (WMI), and Z Shell (zsh) [T1059.004]. See Appendix C and MAR-10448362-1.v1 for more information.
In the same compromise, Volt Typhoon actors exploited a Paessler Router Traffic Grapher (PRTG) server as an intermediary for their FRP operations. To facilitate this, they used the netsh command, a legitimate Windows command, to create a PortProxy registry modification [T1112] on the PRTG server [T1090.001]. This key alteration redirected specific port traffic to Volt Typhoon’s proxy infrastructure, effectively converting the PRTG’s server into a proxy for their C2 traffic [T1584.004] (see Appendix B for details).
DETECTION/HUNT RECOMMENDATIONS
Apply Living off the Land Detection Best Practices
Apply the prioritized detection and hardening best practice recommendations provided in joint guide Identifying and Mitigating Living off the Land Techniques. Many organizations lack security and network management best practices (such as established baselines) that support detection of malicious LOTL activity—this makes it difficult for network defenders to discern legitimate behavior from malicious behavior and conduct behavior analytics, anomaly detection, and proactive hunting. Conventional IOCs associated with the malicious activity are generally lacking, complicating network defenders’ efforts to identify, track, and categorize this sort of malicious behavior. This advisory provides guidance for a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Review Application, Security, and System Event Logs
Routinely review application, security, and system event logs, focusing on WindowsExtensible Storage Engine Technology (ESENT) Application Logs. Due to Volt Typhoon’s ability for long-term undetected persistence, network defenders should assume significant dwell time and review specific application event log IDs, which remain on endpoints for longer periods compared to security event logs and other ephemeral artifacts. Focus on Windows ESENT logs because certain ESENT Application Log event IDs (216, 325, 326, and 327) may indicate actors copying NTDS.dit.
See Table 1 for examples of ESENT and other key log indicators that should be investigated. Please note that incidents may not always have exact matches listed in the Event Detail column due to variations in event logging and TTPs.
Table 1: Key Log Indicators for Detecting Volt Typhoon Activity
Event ID (Log)
Event Detail
Description
216 (Windows ESENT Application Log)
A database location change was detected from ‘C:WindowsNTDSntds.dit’ to ‘\?GLOBALROOTDevice{redacted}VolumeShadowCopy1WindowsNTDSntds.dit’
A change in the NTDS.dit database location is detected. This could suggest an initial step in NTDS credential dumping where the database is being prepared for extraction.
325 (Windows ESENT Application Log)
The database engine created a new database (2, C:WindowsTemptmpActive Directoryntds.dit).
Indicates creation of a new NTDS.dit file in a non-standard directory. Often a sign of data staging for exfiltration. Monitor for unusual database operations in temp directories.
637 (Windows ESENT Application Log)
C:WindowsTemptmpActive Directoryntds.jfm-++- (0) New flush map file “C:WindowsTemptmpActive Directoryntds.jfm” will be created to enable persisted lost flush detection.
A new flush map file is being created for NTDS.dit. This may suggest ongoing operations related to NTDS credential dumping, potentially capturing uncommitted changes to the NTDS.dit file.
326 (Windows ESENT Application Log)
NTDS-++-12460,D,100-++–++-1-++-
C:$SNAP_{redacted}_VOLUMEC$WindowsNTDSntds.dit-++-0-++- [1] The database engine attached a database. Began mounting of C:WindowsNTDSntds.dit file created from volume shadow copy process
Represents the mounting of an NTDS.dit file from a volume shadow copy. This is a critical step in NTDS credential dumping, indicating active manipulation of a domain controller’s data.
327 (Windows ESENT Application Log)
C:WindowsTemptmpActive Directoryntds.dit-++-1-++- [1] The database engine detached a database (2, C:WindowsTemptmpActive Directoryntds.dit). Completion of mounting of ntds.dit file to C:WindowsTemptmpActive Director
The detachment of a database, particularly in a temp directory, could indicate the completion of a credential dumping process, potentially as part of exfiltration preparations.
21 (Windows Terminal Services Local Session Manager Operational Log)
Successful start of a new Remote Desktop session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.
23 (Windows Terminal Services Local Session Manager Operational Log)
Successful reconnection to a Remote Desktop Services session. This may imply lateral movement or unauthorized remote access, especially if the user or session is unexpected.
1017 (Windows System Log)
Handle scavenged.
Share Name: C$
File Name:
users{redacted}downloadsHistory.zip Durable: 1 Resilient or Persistent: 0 Guidance: The server closed a handle that was previously reserved for a client after 60 seconds.
Indicates the server closed a handle for a client. While common in network operations, unusual patterns or locations (like History.zip in a user’s downloads) may suggest data collection from a local system.
1102 (Windows Security Log)
All
All Event ID 1102 entries should be investigated as logs are generally not cleared and this is a known Volt Typhoon tactic to cover their tracks.
Monitor and Review OT System Logs
Review access logs for communication paths between IT and OT networks, looking for anomalous accesses or protocols.
Measure the baseline of normal operations and network traffic for the industrial control system (ICS) and assess traffic anomalies for malicious activity.
Configure intrusion detection systems (IDS) to create alarms for any ICS network traffic outside normal operations.
Track and monitor audit trails on critical areas of ICS.
Set up security incident and event monitoring (SIEM) to monitor, analyze, and correlate event logs from across the ICS network to identify intrusion attempts.
Use gait to Detect Possible Network Proxy Activities
Use gait[4] to detect network proxy activities. Developed by Sandia National Labs, gait is a publicly available Zeek[5] extension. The gait extension can help enrich Zeek’s network connection monitoring and SSL logs by including additional metadata in the logs. Specifically, gait captures unique TCP options and timing data such as a TCP, transport layer security (TLS), and Secure Shell (SSH) layer inferred round trip times (RTT), aiding in the identification of the software used by both endpoints and intermediaries.
While the gait extension for Zeek is an effective tool for enriching network monitoring logs with detailed metadata, it is not specifically designed to detect Volt Typhoon actor activities. The extension’s capabilities extend to general anomaly detection in network traffic, including—but not limited to—proxying activities. Therefore, while gait can be helpful in identifying tactics similar to those used by Volt Typhoon, such as proxy networks and FRP clients for C2 communication, not all proxying activities detected by using this additional metadata are necessarily indicative of Volt Typhoon presence. It serves as a valuable augmentation to current security stacks for a broader spectrum of threat detection.
Examine VPN or other account logon times, frequency, duration, and locations. Logons from two geographically distant locations within a short timeframe from a single user may indicate an account is being used maliciously. Logons of unusual frequency or duration may indicate a threat actor attempting to access a system repeatedly or maintain prolonged sessions for the purpose of data extraction.
Review Standard Directories for Unusual Files
Review directories, such asC:windowstempandC:userspublic, for unexpected or unusual files. Monitor these temporary file storage directories for files typically located in standard system paths, such as the System32 directory. For example, Volt Typhoon has been observed downloading comsvcs.dll to a non-standard folder (this file is normally found in the System32 folder).
INCIDENT RESPONSE
If compromise, or potential compromise, is detected, organizations should assume full domain compromise because of Volt Typhoon’s known behavioral pattern of extracting the NTDS.dit from the DCs. Organizations should immediately implement the following immediate, defensive countermeasures:
Sever the enterprise network from the internet. Note: this step requires the agency to understand its internal and external connections. When making the decision to sever internet access, knowledge of connections must be combined with care to avoid disrupting critical functions.
If you cannot sever from the internet, shutdown all non-essential traffic between the affected enterprise network and the internet.
Reset credentials of privileged and non-privileged accounts within the trust boundary of each compromised account.
Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and kbrtgt. The kbrtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The kbrtgt account should be reset twice because the account has a two-password history. The first account reset for the kbrtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to FCEB agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise.
Review access policies to temporarily revoke privileges/access for affected accounts/devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them.
Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions.
Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access.
Audit all network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes. Organizations should ensure they audit the current network device running configuration and any local configurations that could be loaded at boot time. If configuration changes are identified:
Change all credentials being used to manage network devices, to include keys and strings used to secure network device functions (SNMP strings/user credentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA keys/certificates, etc.).
Update all firmware and software to the latest version.
Report the compromise to an authoring agency (see the Contact Information section).
For organizations with cloud or hybrid environments, apply best practices for identity and credential access management.
Verify that all accounts with privileged role assignments are cloud native, not synced from Active Directory.
Audit conditional access policies to ensure Global Administrators and other highly privileged service principals and accounts are not exempted.
Audit privileged role assignments to ensure adherence to the principle of least privilege when assigning privileged roles.
Leverage just-in-time and just-enough access mechanisms when administrators need to elevate to a privileged role.
In hybrid environments, ensure federated systems (such as AD FS) are configured and monitored properly.
Audit Enterprise Applications for recently added applications and examine the API permissions assigned to each.
Reconnect to the internet.Note: The decision to reconnect to the internet depends on senior leadership’s confidence in the actions taken. It is possible—depending on the environment—that new information discovered during pre-eviction and eviction steps could add additional eviction tasks.
Consider sharing technical information with an authoring agency and/or a sector-specific information sharing and analysis center.
For more information on incident response and remediation, see:
MITIGATIONS
These mitigations are intended for IT administrators in critical infrastructure organizations. The authoring agencies recommend that software manufactures incorporate secure by design and default principles and tactics into their software development practices to strengthen the security posture for their customers.
The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of Volt Typhoon activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
IT Network Administrators and Defenders
Harden the Attack Surface
Apply patches for internet-facing systems within a risk-informed span of time [CPG 1E]. Prioritize patching critical assets, known exploited vulnerabilities, and vulnerabilities in appliances known to be frequently exploited by Volt Typhoon (e.g., Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices).
Apply vendor-provided or industry standard hardening guidance to strengthen software and system configurations. Note: As part of CISA’s Secure by Design campaign, CISA urges software manufacturers to prioritize secure by default configurations to eliminate the need for customer implementation of hardening guidelines.
Maintain and regularly update an inventory of all organizational IT assets [CPG 1A].
Use third party assessments to validate current system and network security compliance via security architecture reviews, penetration tests, bug bounties, attack surface management services, incident simulations, or table-top exercises (both announced and unannounced) [CPG 1F].
Limit internet exposure of systems when not necessary. An organization’s primary attack surface is the combination of the exposure of all its internet-facing systems. Decrease the attack surface by not exposing systems or management interfaces to the internet when not necessary.
Secure Credentials
Do not store credentials on edge appliances/devices. Ensure edge devices do not contain accounts that could provide domain admin access.
Do not store plaintext credentials on any system [CPG 2L]. Credentials should be stored securely—such as with a credential/password manager or vault, or other privileged account management solutions—so they can only be accessed by authenticated and authorized users.
Change default passwords [CPG 2A] and ensure they meet the policy requirements for complexity.
Implement and enforce an organizational system-enforced policy that:
Requires passwords for all IT password-protected assets to be at least 15 characters;
Does not allow users to reuse passwords for accounts, applications, services, etc., [CPG 2C]; and
Does not allow service accounts/machine accounts to reuse passwords from member user accounts.
Configure Group Policy settings to prevent web browsers from saving passwords and disable autofill functions.
Disable the storage of clear text passwords in LSASS memory.
User accounts should never have administrator or super-user privileges [CPG 2E].
Administrators should never use administrator accounts for actions and activities not associated with the administrator role (e.g., checking email, web browsing).
Enforce the principle of least privilege.
Ensure administrator accounts only have the minimum permissions necessary to complete their tasks.
Review account permissions for default/accounts for edge appliances/devices and remove domain administrator privileges, if identified.
Significantly limit the number of users with elevated privileges. Implement continuous monitoring for changes in group membership, especially in privileged groups, to detect and respond to unauthorized modifications.
Remove accounts from high-privilege groups like Enterprise Admins and Schema Admins. Temporarily reinstate these privileges only when necessary and under strict auditing to reduce the risk of privilege abuse.
Transition to Group Managed Service Accounts (gMSAs) where suitable for enhanced management and security of service account credentials. gMSAs provide automated password management and simplified Service Principal Name (SPN) management, enhancing security over traditional service accounts. See Microsoft’s Group Managed Service Accounts Overview.
Enforce strict policies via Group Policy and User Rights Assignments to limit high-privilege service accounts.
Consider using a privileged access management (PAM) solution to manage access to privileged accounts and resources [CPG 2L]. PAM solutions can also log and alert usage to detect any unusual activity.
Complement the PAM solution with role-based access control (RBAC) for tailored access based on job requirements. This ensures that elevated access is granted only when required and for a limited duration, minimizing the window of opportunity for abuse or exploitation of privileged credentials.
Implement an Active Directory tiering model to segregate administrative accounts based on their access level and associated risk. This approach reduces the potential impact of a compromised account. See Microsoft’s PAM environment tier model.
Disable all user accounts and access to organizational resources of employees on the day of their departure [CPG 2G]
Regularly audit all user, admin, and service accounts and remove or disable unused or unneeded accounts as applicable.
Regularly roll NTLM hashes of accounts that support token-based authentication.
Improve management of hybrid (cloud and on-premises) identity federation by:
Using cloud only administrators that areasynchronous with on-premises environments and ensuring on-premises administrators are asynchronous to the cloud.
Using CISA’sSCuBAGear toolto discover cloud misconfigurations in Microsoft cloud tenants. SCuBA gear is automation script for comparing Federal Civilian Executive Branch (FCEB) agency tenant configurations against CISA M365 baseline recommendations. SCuBAGear is part of CISA’s Secure Cloud Business Applications (SCuBA) project, which provides guidance for FCEB agencies, securing their cloud business application environments and protecting federal information created, accessed, shared, and stored in those environments. Although tailored to FCEB agencies, the project provides security guidance applicable to all organizations with cloud environments. For more information on SCuBAGear see CISA’s Secure Cloud Business Applications (SCuBA) Project.
Using endpoint detection and response capabilities to actively defend on-premises federation servers.
Secure Remote Access Services
Limit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices, including auditing the network for systems using RDP, closing unused RDP ports, and logging RDP login attempts.
Disable Server Message Block (SMB) protocol version 1 and upgrade to version 3 (SMBv3) after mitigating existing dependencies (on existing systems or applications), as they may break when disabled.
Harden SMBv3 by implementing guidance included in joint #StopRansomware Guide (see page 8 of the guide).
Securely store sensitive data (including operational technology documentation, network diagrams, etc.), ensuring that only authenticated and authorized users can access the data.
Implement Network Segmentation
Ensure that sensitive accounts use their administrator credentials only on hardened, secure computers. This practice can reduce lateral movement exposure within networks.
Conduct comprehensive trust assessments to identify business-critical trusts and apply necessary controls to prevent unauthorized cross-forest/domain traversal.
Harden federated authentication by enabling Secure Identifier (SID) Filtering and Selective Authentication on AD trust relationships to further restrict unauthorized access across domain boundaries.
Implement network segmentation to isolate federation servers from other systems and limit allowed traffic to systems and protocols that require access in accordance with Zero Trust principles.
Secure Cloud Assets
Harden cloud assets in accordance with vendor-provided or industry standard hardening guidance.
Organizations with Microsoft cloud infrastructure, see CISA’s Microsoft 365 Security Configuration Baseline Guides, which provide minimum viable secure configuration baselines for Microsoft Defender for Office 365, Azure Active Directory (now known as Microsoft Entra ID), Exchange Online, OneDrive for Business, Power BI, Power Platform, SharePoint Online, and Teams. For additional guidance, see the Australian Signals Directorate’s Blueprint for Secure Cloud.
Organizations with Google cloud infrastructure, see CISA’s Google Workspace Security Configuration Baseline Guides, which provide minimum viable secure configuration baselines for Groups for Business, GMAIL, Google Calendar, Google Chat, Google Common Controls, Google Classroom, Google Drive and Docs, Google Meet, and Google Sites.
Revoke unnecessary public access to cloud environment. This involves reviewing and restricting public endpoints and ensuring that services like storage accounts, databases, and virtual machines are not publicly accessible unless absolutely necessary. Disable legacy authentication protocols across all cloud services and platforms. Legacy protocols frequently lack support for advanced security mechanisms such as multifactor authentication, rendering them susceptible to compromises. Instead, enforce the use of modern authentication protocols that support stronger security features like MFA, token-based authentication, and adaptive authentication measures.
Enforce this practice through the use of Conditional Access Policies. These policies can initially be run in report-only mode to identify potential impacts and plan mitigations before fully enforcing them. This approach allows organizations to systematically control access to their cloud resources, significantly reducing the risk of unauthorized access and potential compromise.
Regularly monitor and audit privileged cloud-based accounts, including service accounts, which are frequently abused to enable broad cloud resource access and persistence.
Be Prepared
Ensure logging is turned on for application, access, and security logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and VPNs) [CPG 2T]. Given Volt Typhoon’s use of LOTL techniques and their significant dwell time, application event logs may be a valuable resource to hunt for Volt Typhoon activity because these logs typically remain on endpoints for relatively long periods of time.
For OT assets where logs are non-standard or not available, collect network traffic and communications between those assets and other assets.
Implement file integrity monitoring (FIM) tools to detect unauthorized changes.
Store logs in a central system, such as a security information and event management (SIEM) tool or central database.
Ensure the logs can only be accessed or modified by authorized and authenticated users [CPG 2U].
Store logs for a period informed by risk or pertinent regulatory guidelines. (CISA recommends storing logs for at least X years, given Volt Typhoon’s long dwell time.)
Establish and continuously maintain a baseline of installed tools and software, account behavior, and network traffic. This way, network defenders can identify potential outliers, which may indicate malicious activity. Note: For information on establishing a baseline, see joint guide Identifying and Mitigating Living off the Land Techniques.
Document a list of threats and cyber actor TTPs relevant to your organization (e.g., based on industry or sectors), and maintain the ability (such as via rules, alerting, or commercial prevention and detection systems) to detect instances of those key threats [CPG 3A].
Implement periodic training for all employees and contractors that covers basic security concepts (such as phishing, business email compromise, basic operational security, password security, etc.), as well as fostering an internal culture of security and cyber awareness [CPG 2I].
Tailor the training to network IT personnel/administrators and other key staff based on relevant organizational cyber threats and TTPs, such as Volt Typhoon. For example, communicate that Volt Typhoon actors are known to target personal email accounts of IT staff, and encourage staff to protect their personal email accounts by using strong passwords and implementing MFA.
In addition to basic cybersecurity training, ensure personnel who maintain or secure OT as part of their regular duties receive OT-specific cybersecurity training on at least an annual basis [CPG 2J].
Educate users about the risks associated with storing unprotected passwords.
OT Administrators and Defenders
Change default passwords [CPG 2A] and ensure they meet the policy requirements for complexity. If the asset’s password cannot be changed, implement compensating controls for the device; for example, segment the device into separate enclaves and implement increased monitoring and logging.
Require that passwords for all OT password-protected assets be at least 15 characters, when technically feasible. In instances where minimum passwords lengths are not technically feasible (for example, assets in remote locations), apply compensating controls, record the controls, and log all login attempts. [CPG 2B].
Enforce strict access policies for accessing OT networks. Develop strict operating procedures for OT operators that details secure configuration and usage.
Segment OT assets from IT environments by [CPG 2F]:
Denying all connections to the OT network by default unless explicitly allowed (e.g., by IP address and port) for specific system functionality.
Requiring necessary communications paths between IT and OT networks to pass through an intermediary, such as a properly configured firewall, bastion host, “jump box,” or a demilitarized zone (DMZ), which is closely monitored, captures network logs, and only allows connections from approved assets.
Closely monitor all connections into OT networks for misuse, anomalous activity, or OT protocols.
Monitor for unauthorized controller change attempts. Implement integrity checks of controller process logic against a known good baseline. Ensure process controllers are prevented from remaining in remote program mode while in operation if possible.
Lock or limit set points in control processes to reduce the consequences of unauthorized controller access.
Be prepared by:
Determining your critical operational processes’ reliance on key IT infrastructure:
Maintain and regularly update an inventory of all organizational OT assets.
Understand and evaluate cyber risk on “as-operated” OT assets.
Create an accurate “as-operated” OT network map and identify OT and IT network inter-dependencies.
Identifying a resilience plan that addresses how to operate if you lose access to or control of the IT and/or OT environment.
Plan for how to continue operations if a control system is malfunctioning, inoperative, or actively acting contrary to the safe and reliable operation of the process.
Develop workarounds or manual controls to ensure ICS networks can be isolated if the connection to a compromised IT environment creates risk to the safe and reliable operation of OT processes.
Create and regularly exercise an incident response plan.
Regularly test manual controls so that critical functions can be kept running if OT networks need to be taken offline.
Implement regular data backup procedures on OT networks.
US organizations: To report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact:
CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Water and Wastewater Systems Sector organizations, contact the EPA Water Infrastructure and Cyber Resilience Division at watercyberta@epa.gov to voluntarily provide situational awareness.
Entities required to report incidents to DOE should follow established reporting requirements, as appropriate. For other energy sector inquiries, contact EnergySRMA@hq.doe.gov.
For transportation entities regulated by TSA, report to CISA Central in accordance with the requirements found in applicable Security Directives, Security Programs, or TSA Order.
Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations: Report incidents by emailing CCCS at contact@cyber.gc.ca.
New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 5 through Table 17).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.
ACKNOWLEDGEMENTS
Fortinet and Microsoft contributed to this advisory.
VERSION HISTORY
February 7, 2024: Initial Version.
APPENDIX A: VOLT TYPHOON OBSERVED COMMANDS / LOTL ACTIVITY
PowerShell command extracts security log entries with the Event ID 4624 after a specified date. The output is formatted (fl *) and saved to user.dat. Potentially used to analyze logon patterns and identify potential targets for lateral movement.
PowerShell command extracts security log entries with the Event ID 4624 and filters them to include only those containing a specific user account, selecting the first instance of such an event.
wminc process get name,processid
Appears to be an attempt to use the wmic command but with a misspelling (wminc instead of wmic). This command, as it stands, would not execute successfully and would return an error in a typical Windows environment. This could indicate a mistake made during manual input.
wmic process get name,processid
WMI command lists all running processes with process names and process IDs. Potentially used to find process IDs needed for other operations, like memory dumping.
tasklist /v
Command displays detailed information about currently running processes, including the name, PID, session number, and memory usage.
taskkill /f /im rdpservice.exe
Command forcibly terminates the process rdpservice.exe. Potentially used as a cleanup activity post-exploitation.
ping -n 1 {redacted IP address}
Command sends one ICMP echo request to a specified IP address.
ping -n 1 -w 1 {redacted IP address}
Command sends one ICMP echo request to a specified IP address with a timeout (-w) of 1 millisecond.
net user
Lists all user accounts on the local machine or domain, useful for quickly viewing existing user accounts.
quser
query user
Displays information about user sessions on a system, aiding in identifying active users or sessions.
net start
Lists all active services.
cmd
Opens a new instance of the command prompt.
cd [Redacted Path]
Changes the current directory to a specified path, typically for navigating file systems.
Remove-Item .Thumbs.db
PowerShell command to delete the Thumbs.db file, possibly for cleanup or removing traces.
move .Thumbs.db ttt.dat
Relocates and renames the file Thumbs.db in the current directory to ttt.dat within the same directory.
del .Thumbs.db /f /s /q
Force deletes Thumbs.db files from the current directory and all subdirectories, part of cleanup operations to erase traces.
del ??
Deletes files with two-character names, potentially a targeted cleanup command.
del /?
Displays help information for the del command.
exit
Terminates the command prompt session.
ipconfig
Retrieves network configuration details, helpful for discovery and mapping the victim’s network.
net time /dom
Queries or sets the network time for a domain, potentially used for reconnaissance or to manipulate system time.
netstta -ano
Intended as netstat -ano; a mistyped command indicating a potential operational error.
netstat -ano
Lists active network connections and processes, helpful for identifying communication channels and potential targets.
type .Notes.txt
Displays the contents of Notes.txt, possibly used for extracting specific information or intelligence gathering.
logoff
Logs off the current user session.
Table 3: Volt Typhoon Observed PowerShell Scripts
Script name and location
Contents
Description/Use
C:{redacted} logins.ps1
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *
# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)
# Store successful logon events from security logs with the specified dates and workstation/IP in an array
The script is designed for user logon discovery in a Windows Active Directory environment. It retrieves a list of DCs and then queries security logs on these DCs for successful logon events (Event ID 4624) within the last day. The script differentiates between local (Logon Type 2) and remote (Logon Type 10) logon events. For each event, it extracts and displays details including the logon type, date/time of logon, status, account name, and the workstation or IP address used for the logon. Volt Typhoon may be leveraging this script to monitor user logon activities across the network, potentially to identify patterns, gather credentials, or track the movement of users and administrators within the network.
APPENDIX B: INDICATORS OF COMPROMISE
See Table 4 for Volt Typhoon IOCs obtained by the U.S. authoring agencies during incident response activities.
Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators.
Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators.
Volt Typhoon conducts extensive pre-compromise reconnaissance. This includes web searches, including victim-owned sites, for victim host, identity, and network information, especially for information on key network and IT administrators.
Table 6: Volt Typhoon actors ATT&CK Techniques for Enterprise – Resource Development
Volt Typhoon uses multi-hop proxies for command-and-control infrastructure. The proxy is typically composed of Virtual Private Servers (VPSs) or small office/home office (SOHO) routers.
Volt Typhoon has redirected specific port traffic to their proxy infrastructure, effectively converting the PRTG’s Detection Guidance server into a proxy for their C2 traffic.
Volt Typhoon has used Brightmetricagent.exe, which contains multiplexer libraries that can bi-directionally stream data over through NAT networks and contains a command-line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management, Instrumentation (WMI), and Z Shell (zsh).
Volt Typhoon first obtains credentials from public-facing appliances after gaining initial access by exploiting privilege escalation vulnerabilities in the operating system or network services.
Table 11: Volt Typhoon actors ATT&CK Techniques for Enterprise – Defense Evasion
Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names.
Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names.
Volt Typhoon has selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity and masquerading file names.
Volt Typhoon has obfuscated FRP client files (BrightmetricAgent.exe and SMSvcService.exe) and the command-line port scanning utility ScanLine by packing the files with Ultimate Packer for Executables (UPX).
Volt Typhoon uses hands-on-keyboard activity via the command-line and use other native tools and processes on systems (often referred to as “LOLBins”), known as LOTL, to maintain and expand access to the victim networks.
Table 12: Volt Typhoon actors ATT&CK Techniques for Enterprise – Credential Access
Volt Typhoon used a DLL with MiniDump and the process ID of Local Security Authority Subsystem Service (LSASS) to dump the LSASS process memory and obtain credentials.
Volt Typhoon has accessed a Local State file that contains the Advanced Encryption Standard (AES) encryption key used to encrypt the passwords stored in the Chrome browser, which enables the actors to obtain plaintext passwords stored in the Login Data file in the Chrome browser.
Table 13: Volt Typhoon actors ATT&CK Techniques for Enterprise – Discovery
Volt Typhoon created and accessed a file named rult3uil.log on a Domain Controller in C:WindowsSystem32. The rult3uil.log file contained user activities on a compromised system, showcasing a combination of window title information and focus shifts, keypresses, and command executions across Google Chrome and Windows PowerShell, with corresponding timestamps.
Volt Typhoon enumerated several directories, including directories containing vulnerability testing and cyber related content and facilities data, such as construction drawings.
Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.
Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.
Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.
Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for system information, network service, group, and user discovery.
Volt Typhoon potentially had access to a range of critical PuTTY profiles, including those for water treatment plants, water wells, an electrical substation, operational technology systems, and network security devices. This would enable them to access these critical systems.
During the period of Volt Typhoon’s known network presence, there were anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of NTDS.dit.
Volt Typhoon has moved laterally to the Domain Controller via an interactive RDP session using a compromised account with domain administrator privileges.
During the period of Volt Typhoon’s known network presence, there were anomalous login attempts to an Azure tenant potentially using credentials previously compromised from theft of NTDS.dit.
Table 15: Volt Typhoon actors ATT&CK Techniques for Enterprise – Collection
Volt Typhoon has compressed and archived the extracted ntds.dit and accompanying registry files (by executing ronf.exe, which was likely a renamed version of rar.exe).
Volt Typhoon accessed the file C:Users{redacted}DownloadsHistory.zip, which presumably contained data from the User Data directory of the user’s Chrome browser, which the actors likely saved in the Downloads directory for exfiltration.
Volt Typhoon uses legitimate, but outdated versions of network admin tools. For example, in one confirmed compromise, actors downloaded an outdated version of comsvcs.dll, on the DC in a non-standard folder.
WASHINGTON – As part of its unwavering commitment to safeguarding the security and integrity of the nation’s elections infrastructure, the Cybersecurity and Infrastructure Agency (CISA) launched its new #Protect2024 webpage today. Election security remains a paramount concern for CISA, the lead federal agency entrusted with securing the nation’s elections infrastructure. The agency continues to proudly stand shoulder-to-shoulder with state and local election officials who are on the frontlines of defending our electoral process, and is committed to providing them with the resources, capabilities, and actionable information to help them ensure the security and integrity of the elections process.
As part of the #Protect2024 initiative, CISA developed a webpage to serve as a central point for consolidated critical resources, training lists and security service offerings to support the over 8,000 election jurisdictions for the 2024 election cycle. These efforts build upon prior years of working with elections officials to mitigate the cyber, physical, and operational risks to election infrastructure.
“The #PROTECT2024 website provides a consolidated set of free resources for state and local election officials, those on the front lines of securing the democratic process,” said CISA Director Jen Easterly. “This year, we are placing particular focus on support to local election offices in order to help them strengthen their security posture.”
CISA encourages stakeholders, government officials, and the public to explore the #Protect2024 website, joining the collective effort to ensure a secure and resilient 2024 election cycle.
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.
DHS’s New “AI Corps” Will Advance President Biden’s Executive Order on AI and Ensure Responsible Use of this Powerful Technology
Secretary Mayorkas to Host Recruitment Event in Mountain View, CA
WASHINGTON — Today, Secretary of Homeland Security Alejandro N. Mayorkas and Chief Information Officer (CIO) and Chief Artificial Intelligence Officer (CAIO) Eric Hysen announced the Department’s first-ever hiring sprint to recruit 50 Artificial Intelligence (AI) technology experts in 2024. The new DHS “AI Corps” is modeled after the U.S. Digital Service, building teams that will help better leverage this new technology responsibly across strategic areas of the homeland security enterprise including efforts to counter fentanyl, combat child sexual exploitation and abuse, deliver immigration services, secure travel, fortify our critical infrastructure, and enhance our cybersecurity.
The AI Corps will bolster the DHS workforce with experts in AI and Machine Learning (ML) technologies, models, and applications who will support policy initiatives to ensure the safe and secure use of AI, while protecting privacy and civil rights and civil liberties.
Using the Office of Personnel Management’s new flexible hiring authorities for AI-related jobs, DHS has worked to streamline and expedite the federal hiring process to ensure qualified candidates receive offers as quickly as possible.
“As artificial intelligence becomes more powerful and more accessible than ever before, government needs the support and expertise of our country’s foremost AI experts to help ensure our continued ability to harness this technology responsibly, safeguard against its malicious use, and advance our critical homeland security mission,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Our new AI Corps initiative will make it easier to bring these talented, experienced, creative men and women into public service quickly. The DHS AI Corps will enable the Department of Homeland Security to keep up with the pace of innovation as we enhance our work combating fentanyl traffickers, rescuing victims of child sexual exploitation, countering cyberattacks, assessing disaster damage, and much more.”
The DHS AI Corps AI Technology experts will be part of the DHS Office of the Chief Information Officer and will work on a variety of projects across the Department advancing AI innovation and use. They will provide expertise in AI/ML, data science, data engineering, program management, product management, software engineering, cybersecurity, and safe, secure, and responsible use of these technologies.
Secretary Mayorkas and CIO Hysen will launch the hiring effort at an event in Mountain View, CA. The event is designed to generate interest in AI career opportunities within the Department. Leaders from the Department and DHS agencies and offices will demonstrate to technologists from industry their use of AI to support their missions. Leaders from the DHS Office of Customer Experience, launched in 2022, will discuss their approach to using AI to improve service deliver; representatives of Homeland Security Investigations will showcase the role machine learning plays in countering online child sexual exploitation and abuse; Immigration and Customs Enforcement officials will present on ways AI can enhance immigration and citizenship services; and FEMA officials will present on ways new technology can more quickly deliver disaster and humanitarian relief.
“Now is the time for tech experts to make a real difference for our country and join the federal government,” said Chief Information Officer and Chief Artificial Intelligence Officer Eric Hysen. “Modeled after the U.S. Digital Service, the AI Corps will deploy teams of AI technology experts across DHS to solve problems and modernize the delivery of services to the public. We are recruiting faster than ever because the need is urgent. More Americans interact with DHS every day than any other federal agency, so the better and faster we can deploy responsible AI, the more it can positively impact the American people. We are prioritizing recruiting talent who are technologically proficient and eager to leverage recent innovations in AI to transform the way people interact with the government.”
AI is already delivering significant value across DHS missions. For example:
Fentanyl Interdiction: U.S. Customs and Border Protection (CBP) uses a ML model to identify potentially suspicious patterns in vehicle-crossing history. CBP recently used the model to flag a car for secondary review at a port of entry, which yielded the discovery of over 75 kilograms of drugs hidden in the automobile. Last year alone, machine learning models that help CBP Officers determine which suspicious vehicles and passengers to refer to secondary screening have led to 240 seizures, which included thousands of pounds of cocaine, heroin, methamphetamine, and fentanyl.
Combatting Online Child Sex Abuse: Last year, Homeland Security Investigation completed Operation Renewed Hope, which focused on protecting children from sexual abuse online. Through new AI technology, DHS identified more than 300 previously unknown victims of sexual exploitation and identified perpetrators thanks in part to a ML model that enhanced older images to provide investigators with new leads.
Assessing Disaster Damage: The Federal Emergency Management Agency (FEMA) uses AI to assess damage to homes, buildings, and other property after a disaster more efficiently. Using ML, FEMA’s analysts are able to process images in days, as opposed to weeks, and provide disaster assistance to survivors that much faster.
Last year, DHS established the Department’s first AI Task Force and named CIO Hysen its first Chief AI Officer. The Task Force is working across the DHS mission to identify areas where AI can improve its work. For instance, it is working to enhance the integrity of our supply chains and the broader trade environment by helping deploy AI to improve cargo screening, the identification of imported goods produced with forced labor, and risk management. The Task Force is also charged with using AI to better detect fentanyl shipments, identify and interdict the flow of precursor chemicals around the world, and disrupt key nodes in criminal networks.
DHS’s work on AI is part of a whole-of-government effort to address this emerging technology. In October, President Biden issued an Executive Order, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” which directed DHS to promote the adoption of AI safety standards globally, protect U.S. networks and critical infrastructure, reduce the risks that AI can be used to create weapons of mass destruction, combat AI-related intellectual property theft, and help the United States attract and retain skilled talent, among other missions.