The Chinese Volt Typhoon cyber-espionage group infiltrated a critical infrastructure network in the United States and remained undetected for at least five years before being discovered, according to a joint advisory from CISA, the NSA, the FBI, and partner Five Eyes agencies.
Volt Typhoon hackers are known for extensively using living off the land techniques as part of their attacks on critical infrastructure organizations.
They're also using stolen accounts and leverage strong operational security, which enables them to avoid detection and maintain long-term persistence on compromised systems.
The Chinese threat group has successfully breached the networks of multiple critical infrastructure organizations across the United States while mainly targeting the communications, energy, transportation, and water/wastewater sectors.
Its targets and tactics also diverge from typical cyber espionage activities, leading authorities to conclude with high confidence that the group aims to position itself within networks that provide them with access to Operational Technology assets with the end goal of disrupting critical infrastructure.
U.S. authorities are also apprehensive of Volt Typhoon exploiting this access to critical networks to cause disruptive effects, particularly amidst potential military conflicts or geopolitical tensions.
Today's advisory is also accompanied by a technical guide with information on how to detect Volt Typhoon techniques and if they were used to compromise their organization's networks, as well as mitigation measures to secure them against attackers using Living Off the Land techniques.
The Chinese threat group, also tracked as Bronze Silhouette, has been targeting and breaching U.S. critical infrastructure since at least mid-2021, according to a May 2023 report published by Microsoft.
Throughout their attacks, they've also used a botnet of hundreds of small office/home offices across the United States to hide their malicious activity and evade detection.
The FBI disrupted KV-botnet in December 2023, and the hackers failed to rebuild the dismantled infrastructure after Lumen's Black Lotus Labs took down all remaining C2 and payload servers.
The day the hit on KV-botnet was disclosed, CISA and the FBI also urged SOHO router manufacturers to ensure their devices are protected against Volt Typhoon attacks by eliminating web management interface flaws during development and using secure configuration defaults.
FBI disrupts Chinese botnet by wiping malware from infected routers.
Chinese hackers fail to rebuild botnet after FBI takedown.
Stealthy KV-botnet hijacks SOHO routers and VPN devices.
CISA: Vendors must secure SOHO routers against Volt Typhoon attacks.
Water services giant Veolia North America hit by ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 07 Feb 2024 20:10:23 +0000