dib_2025 - d3adair.xyz

# 🎯 **TARGET LOCKED:** Current Threats Targeting the Defense Industrial Base (DiB) – 2025 ![[DiBThreatsHeader3.png]] ## intro The United States Defense Industrial Base (DiB) remains one of the most heavily targeted sectors in the country, drawing sustained attention from state-sponsored threat actors. China, Russia, North Korea, and others view defense contractors and related industries as high-value sources of intelligence, intellectual property, and opportunities of disruption. The various threat actors associated with each nation rely on tactics ranging from Living-off-the-Land (LoL) techniques, to the exploitation of unpatched vulnerabilities, often blending stealth with persistence. In my post I will attempt to examine the current threat landscape in regard to the United States DiB, highlighting what defenders need to know about each threat actor/nation state and where to focus their priorities both now and in the future. ## china ![[chinathreat2.png]] ### overview: China continues to pose a persistent and serious threat to vital U.S. sectors, including telecommunications, the electrical grid, government agencies, the U.S. military, and Defense Industrial Base. In addition to the familiar patterns of espionage and intellectual property theft, Chinese threat actors are now [targeting critical infrastructure](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a), likely with the goal of strategically positioning themselves in areas that could hinder a U.S. response to a potential Chinese invasion of Taiwan. Even if China’s more specific objectives - such as disabling parts of the U.S. power grid to slow a response or reverse engineering U.S. military technology for strategic advantage - remain uncertain, it is clear that security professionals working within the targeted industries must stay vigilant and maintain a strong understanding of the TTPs and behaviors these actors employ. The good news is that years of research into China’s state-sponsored operations have revealed their playbook: that they [depend heavily on Living-off-the-Land (LoL) techniques](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a). The bad news is that LoL activity is a bit harder to detect, as it can often bypass traditional antivirus and EDR controls, and depending on the environment you work in, can be much harder to tune out what is normal behavior and what is malicious. In order to counter this, defenders must prioritize behavioral and context-driven detections built on patterns seen in past campaigns. The prospect of a Chinese invasion of Taiwan within the next decade is also becoming increasingly plausible. In 2024, a [single Chinese shipbuilder](https://www.defensenews.com/global/asia-pacific/2025/03/11/chinas-shipbuilding-dominance-a-national-security-risk-for-us-report/) produced more commercial vessels by tonnage than the entire U.S. shipbuilding industry has built since World War II. As of June 2024, China also fields the world’s largest naval force on paper, with 234 operational warships compared to the U.S. Navy’s 219. Beijing’s continued “[military drills](https://news.usni.org/2025/04/02/chinese-military-wraps-intimidation-drills-off-taiwan)” near Taiwan underscore its strategy of intimidation and highlight its readiness to leverage a rapidly expanding commercial and military fleet. **Threat Actors:** - *Volt Typhoon* A.K.A VANGUARD PANDA, BRONZE SILHOUETTE, Redfly, Insidious Taurus, Dev-0391, Storm-0391, UNC3236, or VOLTZITE - *Salt Typhoon* A.K.A OPERATOR PANDA, Earth Estrie, Ghost Emperor, FamousSparrow, UNC2286 **Motivations:** IP theft, strategic espionage, reconnaissance of U.S. critical infrastructure. **Recent Example Activity:** - https://www.nytimes.com/2023/07/29/us/politics/china-malware-us-military-bases-taiwan.html - https://web.archive.org/web/20250405033914/https://www.washingtonpost.com/technology/2023/12/11/china-hacking-hawaii-pacific-taiwan-conflict/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a - https://www.itpro.com/security/cyber-attacks/all-us-forces-must-now-assume-their-networks-are-compromised-after-salt-typhoon-breach - https://www.documentcloud.org/documents/25998809-20250611-dhs-salt-typhoon/ **Combined TTPs:** [Valid Accounts (T1078)](https://attack.mitre.org/techniques/T1078/) - [Unsecured Credentials (T1552)](https://attack.mitre.org/techniques/T1552/) - [System Binary Proxy Execution (T1218)](https://attack.mitre.org/techniques/T1218/) - [External Remote Services (T1133)](https://attack.mitre.org/techniques/T1133/) - [Exploit Public Facing Application (T1190)](https://attack.mitre.org/techniques/T1190/) - **MITRE ATT&CK Navigator: Combined Techniques** ![[dib_nav.png]] **Example Detections (Pseudocode):** `- Detection 1 - Environment Enumeration` ``` index=wineventlog (ParentImageFileName="cmd.exe" AND ImageFileName="wmic.exe") AND (ProcessCommandLine="*path win32_logicaldisk get caption,filesystem,freespace,size,volumename*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` ``` index=wineventlog (ParentImageFileName="cmd.exe") AND (ImageFileName="net.exe" OR ImageFileName="net1.exe") AND (ProcessCommandLine="net group" AND ProcessCommandLine="*Domain Admins*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` `- Detection 2 - Possible Tampering of ntds.dit Using Full Commands or Notations` ``` index=wineventlog (ImageFileName="wmic.exe" AND ProcessCommandLine="*ac i ntds*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` ``` index=wineventlog (ParentImageFileName="cmd.exe" AND ImageFileName="wmic.exe" AND (ProcessCommandLine="*ntdsutil*" OR ProcessCommandLine="*ac i ntds*") AND ProcessCommandLine="*\\Windows\\Temp*") | table _time, ComputerName, UserName, ParentImageFileName, ImageFileName, ProcessCommandLine ``` ``` index=wineventlog ImageFileName="ntdsutil.exe" AND (ProcessCommandLine="*ac i ntds*" OR ProcessCommandLine="*activate instance ntds*" OR ProcessCommandLine=") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine ``` `- Detection 3 - Possible Impacket (wmiexec.py) Usage` ``` index=wineventlog (ImageFileName=cmd.exe OR ImageFileName="wmic.exe") ( ProcessCommandLine="*dir*" AND ProcessCommandLine="*\\\\127.0.0.1\\ADMIN$*") | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine -- Scrutinize any log events for evidence of filenames with an epoch timestamp -- ``` `- Detection 4 - Audit Log Deletion` ``` index=wineventlog EventID=1102 | table _time, ComputerName, UserName ParentImageFileName, ImageFileName, ProcessCommandLine -- Any event with EventID 1102 should be scrutinized as it is uncommon to see this event in an environment -- ``` ### other takeaways: - **Botnet Capabilities** - Volt Typhoon has also been observed [operating botnets](https://www.cisecurity.org/insights/blog/critical-infrastructure-caught-botnet) built from compromised Cisco and Netgear routers. In September 2024, the group managed to compromise 30% of all internet-exposed Cisco RV320/325 routers within just 37 days. These operations appear consistent with Volt Typhoon’s broader strategy of embedding itself within U.S. critical infrastructure. - **Custom Malware** - While both Volt Typhoon and Salt Typhoon often rely on Living-off-the-Land techniques to evade detection, they are also capable of deploying highly sophisticated custom malware to achieve their objectives. For example, in 2022 Palo Alto Networks observed Volt Typhoon [deploying a custom backdoor called _SockDetour_](https://unit42.paloaltonetworks.com/sockdetour/) against U.S. defense contractors. Reflecting Volt Typhoon’s focus on stealth, _SockDetour_ hijacks existing network connections through a pre-existing socket, eliminating the need to establish a new connection that might be flagged by EDR tools or analysts. - **Exploitation of Vulnerabilities** - Both Volt Typhoon and Salt Typhoon regularly exploit known vulnerabilities to gain initial access into victim environments. According to the U.S. Department of Defense, Salt Typhoon [compromised and maintained persistent access](https://www.itpro.com/security/cyber-attacks/all-us-forces-must-now-assume-their-networks-are-compromised-after-salt-typhoon-breach) to an unnamed U.S. state’s Army National Guard network between March and December 2024, leveraging at least four separate CVEs to do so. **Exploited CVEs:** | **Vendor** | **CVE(s)** | **Product / Feature** | | ------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------- | | **Cisco** | CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, CVE-2024-20272 | IOS/IOS XE (Smart Install, Web UI), Unity Connection | | **Zoho (ManageEngine)** | CVE-2021-40539, CVE-2021-44077 | ADSelfService Plus, ServiceDesk Plus | | **FatPipe** | CVE-2021-27860 | WARP/IPVPN/MPVPN (web interface) | | **QNAP** | CVE-2021-28799 | HBS 3 (Hybrid Backup Sync) | | **Fortinet** | CVE-2022-42475, CVE-2023-27997 | FortiOS / FortiProxy SSL-VPN | | **Citrix (NetScaler / ADC / Gateway)** | CVE-2023-4966, CVE-2023-6548, CVE-2023-6549 | NetScaler ADC / Gateway | | **Ivanti (Connect Secure / Policy Secure)** | CVE-2023-46805, CVE-2024-21887 | Ivanti Connect Secure / Policy Secure | | **Versa Networks** | CVE-2024-39717 | Versa Director | ### defender priorities: - **Securing Accounts and Identities** - Both groups frequently abuse valid accounts to gain initial access or maintain persistence in victim environments. As detailed in [CISA’s advisory](https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf) on Volt Typhoon, it is common for the group to extract the `NTDS.dit` file, crack password hashes offline, and use legitimate elevated credentials to remain undetected. In some cases, Volt Typhoon maintained access for years by repeatedly extracting NTDS.dit to ensure they always had up-to-date valid credentials. - **Patching and Remediation of High-Impact Vulnerabilities** - While patching critical and high-severity vulnerabilities - especially on internet-exposed devices - should be standard practice, it remains one of the most neglected areas of security. Volt Typhoon, in particular, is known to rely almost exclusively on unpatched vulnerabilities to establish initial access. Every major report and advisory on their activity underscores this trend, with the compromise of a state’s Army National Guard network serving as a recent example. - **Baselining LoLBin Activity** - Organizations should establish a baseline for how Living-off-the-Land Binaries (LoLBins) are normally used in their environment. This is especially challenging for defense contractors, where large numbers of engineers regularly rely on LoLBins such as PowerShell or WMI to streamline their work. Security teams should understand what commands are executed day to day and by whom, so that deviations from this baseline immediately stand out. Tracking which users employ which tools is equally important, for example, a non-engineer running PowerShell commands should trigger more concern than an engineer doing the same. ## russia … ## iran … ## north korea ## cross-actor ttp trends | ATT&CK Technique | CN | RU | IR | |---|---:|---:|---:| | Valid Accounts (T1078) | | | | | External Remote Services (T1133) | | | | | PowerShell (T1059.001) | | | | | Exfiltration over Web (T1041) | | | | ## defensive priorities 1) … 2) … 3) … ## references 1. CISA. _People’s Republic of China State-Sponsored Cyber Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure._ [AA24-038A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a) 2. CISA. _People’s Republic of China State-Sponsored Cyber Actors Exploit Barracuda ESG Zero-Day Vulnerability._ [AA23-144A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a) 3. Defense News. _China’s shipbuilding dominance a national security risk for US: report._ (March 11, 2025). [Link](https://www.defensenews.com/global/asia-pacific/2025/03/11/chinas-shipbuilding-dominance-a-national-security-risk-for-us-report/) 4. USNI News. _Chinese Military Wraps Intimidation Drills off Taiwan._ (April 2, 2025). [Link](https://news.usni.org/2025/04/02/chinese-military-wraps-intimidation-drills-off-taiwan) 5. The New York Times. _Chinese Malware Hits Systems on U.S. Military Bases in Taiwan Conflict Preparations._ (July 29, 2023). [Link](https://www.nytimes.com/2023/07/29/us/politics/china-malware-us-military-bases-taiwan.html) 6. The Washington Post (Archived). _China hacking Hawaii, Pacific targets in Taiwan conflict prep._ (Dec 11, 2023). [Archive Link](https://web.archive.org/web/20250405033914/https://www.washingtonpost.com/technology/2023/12/11/china-hacking-hawaii-pacific-taiwan-conflict/) 7. ITPro. _All US forces must now assume their networks are compromised after Salt Typhoon breach._ [Link](https://www.itpro.com/security/cyber-attacks/all-us-forces-must-now-assume-their-networks-are-compromised-after-salt-typhoon-breach) 8. DocumentCloud. _DHS Report on Salt Typhoon – 2025-06-11._ [Link](https://www.documentcloud.org/documents/25998809-20250611-dhs-salt-typhoon/) 9. MITRE ATT&CK. _Valid Accounts (T1078)._ [Link](https://attack.mitre.org/techniques/T1078/) 10. MITRE ATT&CK. _Unsecured Credentials (T1552)._ [Link](https://attack.mitre.org/techniques/T1552/) 11. MITRE ATT&CK. _System Binary Proxy Execution (T1218)._ [Link](https://attack.mitre.org/techniques/T1218/) 12. MITRE ATT&CK. _External Remote Services (T1133)._ [Link](https://attack.mitre.org/techniques/T1133/) 13. MITRE ATT&CK. _Exploit Public-Facing Application (T1190)._ [Link](https://attack.mitre.org/techniques/T1190/) 14. Center for Internet Security (CIS). _Critical Infrastructure Caught in Botnet Crossfire._ [Link](https://www.cisecurity.org/insights/blog/critical-infrastructure-caught-botnet) 15. Palo Alto Networks Unit 42. _SockDetour: Newly Discovered Malware Targeting Defense Contractors._ [Link](https://unit42.paloaltonetworks.com/sockdetour/) 16. CISA. _Iranian Cyber Actors May Target Vulnerable U.S. Networks and Entities of Interest._ [Link](https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest)