In the United States, a massive law enforcement operation has been conducted by the Federal Bureau of Investigation (FBI), targeting a cyber espionage campaign carried out by a hacking group known as Volt Typhoon. This group has been linked to the Chinese government and was found to have hijacked hundreds of routers with malicious software in an effort to disrupt operations in the US. The operation was announced by the US Justice Department in January 31, 2024, revealing that the FBI had successfully disrupted a network of connected devices in a coordinated effort to eliminate the threat posed by Volt Typhoon.
The devices, commonly referred to as small office/home office (SOHO) routers, had been infiltrated by the Volt Typhoon advanced persistent threat (APT) group, who then infected them with the KV Botnet malware. Most of the routers that were part of the hacking network were identified as Cisco and NetGear routers, which had reached end-of-life status and were no longer supported through their manufacturer’s security patches or other software updates. The court-authorized operation aimed to remove the malware from the routers and sever their connection to the botnet, blocking communications with other devices used to control the botnet.
In response to this revelation, cybersecurity experts have highlighted the risks associated with using obsolete or end-of-life devices in critical environments. Ian McGowan, managing director of Barrier Networks, emphasized the need for organizations to secure or update such devices to prevent potential vulnerabilities. Similarly, security awareness advocate James McQuiggan, along with his colleague Roger Grimes, stressed the importance of firmware security as a top priority for manufacturers.
The hacking activities conducted by Volt Typhoon were specifically targeted at critical infrastructure organizations in the US and other foreign victims. The activities included a campaign that had been previously identified by the FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and various foreign partners. In response to the disconnection operation, the US Deputy Attorney General Lisa O. Monaco emphasized the Department of Justice’s commitment to using all available tools to disrupt national security threats in real-time.
Volt Typhoon, also known as Bronze Silhouette, Insidious Taurus, Vanguard Panda, and APT41, is a cyberespionage group believed to be linked to the Chinese Ministry of State Security (MSS). The group has been suspected of conducting malicious campaigns targeting critical infrastructure, particularly in the US, since at least mid-2021. Their most recent campaigns targeted a wide range of organizations in various sectors, with a particular focus on critical communications infrastructure between the US and Asia.
According to John Hultquist, Mandiant director at Google Cloud, the techniques employed by Volt Typhoon are consistent with those used by nation-state threat actors, indicating a deliberate effort to avoid detection and persist on targeted networks. FBI Director Christopher Wray stated that the Volt Typhoon malware enabled China to target US communications, energy, transportation, and water sectors, posing a potential real-world threat to the safety of Americans.
In light of the disconnection operation, the Department of Justice reassured the public that the government’s actions were conducted with extra care for the safety and privacy of the routers’ original owners. The operation did not collect content information from the hacked routers and implemented temporary mitigation steps to prevent reinfection. The FBI has also made efforts to contact the owners whose information was available and has collaborated with vendors and internet service providers (ISPs) to notify the victims.
Overall, the successful operation to disrupt the Volt Typhoon cyber espionage campaign demonstrates the determination of the US government to combat nation-state adversaries. The collaboration between law enforcement agencies, cybersecurity experts, and private-sector partners has played a crucial role in safeguarding critical infrastructure and protecting national security. The ongoing efforts to address cyber threats and strengthen cybersecurity measures reflect the commitment to defending against increasingly sophisticated and persistent threats in the digital realm.