Volt Typhoon Gang and Botnet Re-Emerge Targeting Critical Infrastructure

Volt Typhoon, a stealthy and resilient state-sponsored cyber-espionage group has re-emerged as a severe and silent threat to critical infrastructure worldwide, demonstrating increased sophistication and determination.

In January this year, the US Department of Justice said it disrupted the People’s Republic of China-backed hacking group that attempted to target America’s critical infrastructure. The group infected “hundreds” of outdated Cisco and Netgear routers with malware so that they could be used to attack US critical infrastructure facilities.

SecurityScorecard’s STRIKE Team has identified the group’s resurgence, exploiting unprotected and outdated edge devices across essential sectors and escalating the global threat landscape significantly.

Digital Chameleons

Investigations reveal that Volt Typhoon’s operations span globally, with an infrastructure built on outdated small office/home office (SOHO) devices, which serve as digital chameleons for covert data transmission.

By leveraging MIPS-based malware and webshells like fy.sh, Volt Typhoon maintains a secure foothold in target networks. This strategy allows the malefactors to operate below the radar and integrate malicious activity into standard network operations, complicating detection and mitigation efforts.

Researchers revealed that a compromised VPN device in New Caledonia is playing a critical role as a bridge for Volt Typhoon’s operations, silently routing data between Asia-Pacific and American regions. This unique positioning allows Volt Typhoon to mask its presence effectively, facilitating long-term, undetected operations.

Adapt or Die

Rather than retreating when detected, this adversary adapts and intensifies its tactics. According to the STRIKE Team, Volt Typhoon now leverages outdated devices such as Cisco RV320/325 and Netgear ProSafe routers, which have become key points of entry in their campaigns. In just over a month, Volt Typhoon compromised 30% of visible Cisco RV320/325 routers, transforming them into operational relay nodes for their botnet infrastructure.

These compromised routers, serving as covert transfer nodes, form an intricate network that allows Volt Typhoon’s malicious activity to blend seamlessly with routine operations. This capability makes the botnet particularly challenging to detect and neutralize within sectors like government and critical infrastructure, where legacy systems are still widely used.

A Botnet Built on Legacy Infrastructure

Volt Typhoon’s tactics reveal a gradual evolution in their approach. Key milestones in the botnet’s development highlight how they exploit vulnerabilities within aged infrastructure to sustain their operations:

• 2019: Researchers identify flaws in Cisco routers, exposing energy and other industries reliant on legacy tech.
• Late 2023: Volt Typhoon launches the JDYFJ botnet using compromised Cisco and Netgear routers. With command centers in Europe, the botnet hides traffic through encrypted channels.
• October 2023: A compromised VPN device in New Caledonia bridges traffic between Asia-Pacific and the Americas, evading standard detection methods.
• Early 2024: After parts of the botnet face disruption by law enforcement, Volt Typhoon reestablishes its infrastructure on Digital Ocean and other platforms, setting up fresh SSL certificates.
• September 2024: The JDYFJ cluster continues routing traffic covertly, solidifying Volt Typhoon’s botnet operations.

Critical Infrastructure Exposed

Volt Typhoon’s actions underscore the risks that legacy infrastructure poses to sectors like energy. A recent SecurityScorecard and KPMG report highlights that third-party breaches account for 45% of incidents in the US  energy sector, with state-sponsored actors like Volt Typhoon exacerbating these risks. There is growing concern that AI-powered attacks could further amplify this threat, enhancing attackers’ precision and elusiveness.

In 2023, a coalition of 68 nations led by the US established the International Counter-Ransomware Initiative, aimed at mitigating ransomware’s financial and operational impact. Complementing this, the G7 has committed to bolstering supply chain security, particularly in energy. Together, these initiatives form a crucial foundation for protecting essential infrastructure against emerging cyber threats.

A Warning for Infrastructure Security

The STRIKE Team’s findings paint a bleak picture of the evolving risks to critical infrastructure. As Volt Typhoon’s botnet grows more sophisticated, governments and organizations must act swiftly to reinforce legacy systems, enhance cloud security, and secure third-party networks.

The resurgence of this scourge serves as a potent reminder: without proactive measures, unresolved vulnerabilities may pave the way for a crisis in critical infrastructure security.