May 23, 2023:  The U.S. CISA issued a joint advisory with its Five Eyes partner agencies in the U.K., Canada, Australia and New Zealand warning “a recently discovered cluster of activity state-sponsored cyber actor, also known as Volt Typhoon. The activity affected networks across U.S. critical infrastructure sectors including in the U.S. territory of Guam, home to home to three American military bases. The likely aim of the operation is to disrupt critical communications infrastructure between the United States and Asia region during future crises, according to Microsoft.

One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations.