The US government, alongside private sector leaders, has reportedly been making efforts to disrupt the threat infrastructure of “Volt Typhoon,” an aggressive China-linked threat group that has been responsible for numerous attacks on US critical infrastructure since mid-2021.
According to Reuters, the US Department of Justice and the FBI have been working to remotely disable aspects of the Chinese operation after obtaining legal authorization. These efforts come amid growing concerns within the US intelligence community about pervasive hacking activities, including ransomware attacks, by China-linked groups, especially Volt Typhoon. Intelligence officials have expressed alarm over fears that China is attempting to compromise Western critical infrastructure, such as naval ports, Internet service providers, and utilities.
The specific concern is that Volt Typhoon is laying the groundwork for capabilities that could enable China to disrupt critical infrastructure supporting US military operations in the Indo-Pacific region. Officials believe the hackers may be working to undermine US readiness in the event of a Chinese invasion of Taiwan.
Microsoft has also been monitoring Volt Typhoon and has reported that the group’s objective is to develop capabilities that would allow it to disrupt communications infrastructure between the US and the Asian region during future crises. The group’s targets have included organizations in the communications, transportation, maritime, government, utility, and information technology sectors.
The threat actor, Volt Typhoon, has been described by Microsoft as employing stealth tactics by using legitimate tools, living-off-the-land techniques, and hands-on keyboard activity in its attacks. Additionally, the group has attempted to conceal its presence in normal network activity by using compromised small office and home office (SOHO) network devices to route its traffic. This behavior suggests that the threat actor is focused on espionage and maintaining access without being detected for as long as possible.
Recent research by Lumen identified Volt Typhoon as one of several Chinese threat groups using a large SOHO botnet, known as KV-Botnet, as command-and-control infrastructure. Lumen assessed the botnet, composed mainly of legacy Cisco, DrayTek, and Netgear routers, as something likely used by Volt Typhoon in attacks against several high-value targets.
SecurityScorecard has reported observing Volt Typhoon attempting to compromise end-of-life Cisco RV320 routers and integrate them into its growing botnet. The US government has called on various cloud computing companies, telecommunications firms, and private technology companies for assistance in tracking and dismantling Volt Typhoon’s activities. The White House has held meetings with private sector stakeholders to discuss strategies for disrupting Volt Typhoon’s operations.
Overall, the US government’s efforts to disrupt Volt Typhoon’s attack infrastructure are part of a larger campaign to defend against ongoing cyber threats and provide crucial protection for the country’s critical infrastructure. These actions reflect the growing recognition of the significant risks posed by state-sponsored threat actors and the importance of collaborative efforts to counter such threats effectively.