China-backed ‘Volt Typhoon’ preparing wave of attacks

US cybersecurity officials, alongside their counterparts in Australia, Canada, the UK, and New Zealand, have published a warning that the China state-sponsored hacking group “Volt Typhoon” is preparing a wave of attacks against critical infrastructure should relations between Beijing and Washington worsen.

US agencies confirmed in a recent alert that Volt Typhoon had compromised the IT environments of multiple critical infrastructure organizations. They wrote that the group is pre-positioning itself on IT networks for potential disruptive attacks, not typical espionage, amid future geopolitical conflicts.

Officials urged the public and IT infrastructure stakeholders to counter the threat by patching vulnerable systems, enabling phishing-resistant multi-factor authentication, and centralizing log storage for enhanced security.

Officials warned that should an attack take place, critical infrastructure in Canada, Australia, and New Zealand would also be targeted.

This announcement comes shortly after a Russian state-sponsored hacker group called “Cozy Bear” breached HPE’s corporate emails, accessing data from a small percentage of mailboxes, in an incident connected to a broader pattern of cyberattacks targeting US tech firms, including a recent breach of Microsoft leadership’s inboxes.

Volt Typhoon changes tactics

Recently, US officials reported that they had thwarted a China-sponsored hacking effort by Volt Typhoon using the KV Botnet malware in routers used by small offices to target critical infrastructure.

In 2023, Microsoft warned that Volt Typhoon might disrupt US-Asia communications in future crises. Microsoft said that the group had buried itself in critical infrastructure through a stealth process called “living off the land” designed to hide from antivirus software.

After US officials disrupted Volt Typhoon’s KV botnet, security researchers at Black Lotus Labs noticed that the group had been changing tactics, re-exploiting previously compromised devices such as NetGear ProSAFE hardware. Other compromised devices included Cisco RV routers, DrayTek Vigor routers, and Axis IP cameras.

In total, the botnet infected 32% of the 6,613 NetGear ProSAFE devices connected to the internet at its peak. 

Originally, there were 1,500 active bots under Volt Typhoon’s control, but that number fell to 650 by mid-January 2024. The big drop in numbers came in late December, when according to Black Lotus Labs, US officials took down the command and control server of the botnet, leaving only clusters tasked with scanning and reconnaissance.

According to Black Lotus Labs, this group, along with other similar state-aligned operations will continue to use similar tactics in the future.

“We assess that this trend of utilizing compromised firewalls and routers will continue to emerge as a core component of threat actor operations, both to enable access to high-profile victims and to establish covert infrastructure,” the researchers wrote.

They noted that there remains a “large supply of vastly out-of-date and generally considered end-of-life edge devices on the internet” that is no longer eligible to receive patches but remains online because it is “still performing well enough to stay in service for end users.” And this makes a perfect base of operations for future attacks.

Cyberattacks, Hacking

Go to Source