Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure

China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure.
In many instances, the threat actor, known for targeting critical infrastructure, is exploiting a couple of vulnerabilities from 2019 in routers, to break into target devices and take control of them.
Targeting US Critical Infrastructure Sectors Researchers from SecurityScorecard's threat intelligence team spotted the activity when doing some follow-up investigations on recent vendor and media reports about Volt Typhoon breaking into US critical infrastructure organizations and laying the ground for potential future disruptions.
The attacks have targeted water utilities, power suppliers, transportation, and communications systems.
One of the vendor reports, from Lumen, described a botnet comprised of small office/home office routers that Volt Typhoon - and other Chinese threat groups - is using as a command-and-control network in attacks against high-value networks.
SecurityScorecard researchers used the indicators of compromise that Lumen released with its report to see if they could identify new infrastructure associated with Volt Typhoon's campaign.
The investigation showed the threat group's activity may be more extensive than previously thought, says Rob Ames, staff threat researcher at SecurityScorecard.
Volt Typhoon appears to have been responsible for compromising as much as 30% - or 325 of 1,116 - of end-of-life Cisco RV320/325 routers that SecurityScorecard observed on the C2 botnet over a 37-day period.
The security vendor's researchers observed regular connections between the compromised Cisco devices and known Volt Typhoon infrastructure between Dec. 1, 2023 and Jan. 7, 2024, suggesting a very active operation.
SecurityScorecard was able to identify multiple new IP addresses that appeared linked to Volt Typhoon activity.
Living-off-the-Land Cyberattacks Volt Typhoon is a threat group that the US Cybersecurity and Infrastructure Agency has identified as a state-sponsored Chinese threat actor targeting US critical infrastructure sectors.
Microsoft, the first to report on the group back in May 2023, has described it as being active since at least May 2021, being based in China, and conducting large-scale cyber espionage using a slew of living-off-the-land techniques.
The company has assessed the group as developing capabilities to disrupt critical communications capabilities between the US and Asia during potential future conflicts.
Ames says Volt Typhoon's use of compromised routers for data transfers is one indication of the group's commitment to stealth.
Cyber-Targeting of Vulnerable End-of-Life Gear Volt Typhoon's targeting of end-of-life devices also makes a lot of sense from the attacker's perspective, Ames says.
There are some 35 known critical vulnerabilities with a severity rating of at least 9 out of 10 on the CVSS scale - including two in CISA's Known Exploited Vulnerabilities catalog - associated with the Cisco RV320 routers that Volt Typhoon has been targeting.
In addition to the Cisco devices, the Volt Typhoon-linked botnet also includes compromised legacy DrayTek Vigor and Netgear ProSafe routers.
Callie Guenther, senior manager of cyber threat research at Critical Start, says Volt Typhoon's strategic targeting of end-of-life Cisco routers, its development of custom tools like fy.
Sh, and its geographical and sectoral targeting suggest a highly sophisticated operation.
As examples, she points to multiple threat actors targeting the so-called Ripple20 vulnerabilities in a TCP/IP stack that affected millions of legacy IoT devices, as well as Chinese and Iranian threat groups targeting flaws in older VPN products.


This Cyber News was published on www.darkreading.com. Publication date: Thu, 11 Jan 2024 22:50:03 +0000


Cyber News related to Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure

CISA: Volt Typhoon had access to some U.S. targets for 5 years - U.S. government agencies issued another warning about the significant threat posed by a Chinese nation-state threat group to critical infrastructures, revealing attackers might have been lurking in victims' IT environments for several years. Last ...
10 months ago Techtarget.com
Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure - China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure. In many instances, the threat actor, known for targeting critical ...
11 months ago Darkreading.com
China-Linked Volt Typhoon Hackers Possibly Targeting Australian, UK Governments - Chinese state-sponsored hackers are targeting old vulnerabilities in Cisco routers in new attacks apparently aimed at government entities in the US, UK, and Australia, cybersecurity firm SecurityScorecard reports. As part of the observed attacks, the ...
11 months ago Securityweek.com
China-Sponsored Hackers Lie in Wait to Attack US Infrastructure - In a stark warning this week, the Cybersecurity and Infrastructure Security Agency, FBI, and National Security Agency said that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations in such sectors as ...
10 months ago Securityboulevard.com
Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity - The portion of China's Volt Typhoon advanced persistent threat that focuses on infiltrating operational technology networks in critical infrastructure has already performed reconnaissance and enumeration of multiple US-based electric companies, while ...
10 months ago Darkreading.com
Chinese hackers hid in US infrastructure network for 5 years - The Chinese Volt Typhoon cyber-espionage group infiltrated a critical infrastructure network in the United States and remained undetected for at least five years before being discovered, according to a joint advisory from CISA, the NSA, the FBI, and ...
10 months ago Bleepingcomputer.com
Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
1 year ago Bleepingcomputer.com
Chinese Threat Actors Concealed in US Infrastructure Networks - According to a joint alert from CISA, the NSA, the FBI, and partner Five Eyes organizations, the Chinese cyberespionage group Volt Typhoon entered a critical infrastructure network in the United States and remained undiscovered for at least five ...
10 months ago Heimdalsecurity.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Feds Confirm Remote Killing of Volt Typhoon's SOHO Botnet - US law enforcement has disrupted the infrastructure of the notorious China-sponsored cyberattack group known as Volt Typhoon. The state-backed group uses it as a launchpad for other attacks, particularly on US critical infrastructure, because the ...
10 months ago Darkreading.com
The NSA Seems Pretty Stressed About the Threat of Chinese Hackers in US Critical Infrastructure - The United States National Security Agency is often tight-lipped about its work and intelligence. At the Cyberwarcon security conference in Washington DC on Thursday, two members of the agency's Cybersecurity Collaboration Center had a "Call to ...
1 year ago Wired.com
Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
1 year ago Darkreading.com
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Securityweek.com
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Packetstormsecurity.com
Critical infrastructure hacks raise alarms on Chinese threats - A U.S. law enforcement operation in December disrupted a botnet of hundreds of routers operated by Chinese nation-state actors. The campaign has raised concerns about potentially destructive cyberattacks from the country. The law enforcement ...
10 months ago Techtarget.com
China's Cyberattackers Maneuver to Disrupt US Critical Infrastructure - The US Cybersecurity and Infrastructure Security Agency has issued a report detailing how the China-backed Volt Typhoon advanced persistent threat is consistently targeting highly sensitive critical infrastructure, with new information on the ...
10 months ago Darkreading.com
It's not just Volt Typhoon lurking in critical US orgs' IT The Register - Volt Typhoon isn't the only Chinese spying crew infiltrating computer networks in America's energy sector and other critical organizations with the aim of wrecking equipment and causing other headaches, the US government has said. American officials ...
10 months ago Go.theregister.com
Explainer: what is Volt Typhoon and why is it the 'defining threat of our generation'? - Relations between the US and China - particularly over Beijing's threats to annex Taiwan - have plummeted in recent years, prompting growing concern about the potential for hostilities or all-out conflict. So recent revelations that a Chinese hacking ...
10 months ago Packetstormsecurity.com
Cyberthreat landscape permanently altered by Chinese operations, US officials say - SAN FRANCISCO - Even if the U.S. government eventually ejects a notorious Chinese hacking operation that has tunneled into critical infrastructure entities, the sweeping digital campaign has permanently altered the cyberthreat landscape, federal ...
7 months ago Therecord.media
Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
10 months ago Go.theregister.com
'Volt Typhoon' hackers target US critical infrastructure - Background Hackers allegedly connected to the People's Liberation Army in China are responsible for a series of recent attacks on critical infrastructure in the USA, according to a report first published in the Washington Post. The attacks on tens of ...
1 year ago Pandasecurity.com
Volt Typhoon - Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. Volt Typhoon typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US ...
1 year ago Attack.mitre.org
FBI and CISA publish guide to Living off the Land techniques - The Cybersecurity and Infrastructure Security Agency, National Security Agency, Federal Bureau of Investigation, and other authoring agencies have released a joint guidance about common living off the land techniques and common gaps in cyber defense ...
10 months ago Malwarebytes.com
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
2 months ago Cyberdefensemagazine.com
China's Hackers Keep Targeting US Water and Electricity Supplies - An indictment from the US Department of Justice may have solved the mystery of how disgraced cryptocurrency exchange FTX lost over $400 million in crypto. The indictment, filed last week, alleges that three individuals used a SIM-swapping attack to ...
10 months ago Wired.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)