Volt Typhoon, the notorious Chinese state-sponsored hacking group, is making a significant comeback after a botnet disruption caused by a US-led takedown in February 2024. This group had previously built a malicious botnet using outdated Cisco and Netgear routers that were no longer receiving critical security updates. By infecting these devices with KV Botnet malware, Volt Typhoon successfully hid its hacking operations, targeting vital national infrastructure in the US and beyond.
Fast forward nine months, and threat analysts from SecurityScorecard have noticed that Volt Typhoon is back in action, and it seems more sophisticated and determined. Their Strike Team has sifted through millions of data points, revealing that the group has adapted and is digging in after facing setbacks from the takedown.
Ryan Sherstobitoff, senior VP of threat research at SecurityScorecard, emphasizes the growing threat posed by Volt Typhoon. As the group expands its botnet and refines its tactics, it urges governments and corporations to fix vulnerabilities within legacy systems, public cloud infrastructures, and third-party networks. He warns that if these issues are left unaddressed, a crisis in critical infrastructure could arise.
Recently, Volt Typhoon has set up new command servers with hosting services like Digital Ocean, Quadranet, and Vultr, along with fresh SSL certificates to evade detection. They continue exploiting legacy vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers. Sherstobitoff pointed out that they managed to compromise 30% of the world’s visible Cisco RV320/325 routers within just a month.
The Strike Team’s investigation uncovered Volt Typhoon’s extensive network built on compromised SOHO and outdated devices. These routers act like digital chameleons, masking their malicious activities and blending in with normal network traffic. Analysts discovered MIPS-based malware on these devices, similar to Mirai, which helps establish covert connections and use port forwarding over 8443. This method keeps their operations under the radar, even from experienced cybersecurity teams.
They strategically plant webshells like fy.sh in the routers. This allows Volt Typhoon to maintain persistent access to systems while appearing to operate within routine network functions. The result is a strong foothold in governmental and critical infrastructure sectors, complicating any cleanup efforts.
By September 2024, the new botnet cluster was observed routing traffic worldwide, much of it through a compromised VPN device. This device acts as a silent bridge between the Asia-Pacific and the US, located in New Caledonia. By using this French territory, Volt Typhoon might avoid heightened scrutiny and extend its botnet’s reach further.
Sherstobitoff cautions that critical national infrastructure continues to be an attractive target for Chinese state-sponsored attackers. This sector’s essential role in economic stability, combined with its dependence on outdated technology, is creating a perfect storm for potential disruptions. Moreover, many third-party tech suppliers lack robust defenses, providing easy entry points for advanced persistent threat actors like Volt Typhoon.