The infrastructure of the China-sponsored cyberattack group known as Volt Typhoon has been disrupted by US law enforcement. This group, also known as Bronze Silhouette and Vanguard Panda, is a major advanced persistent threat (APT) and has been described by FBI Director Christopher Wray as “the defining cyber-threat of this era.” Their notorious history includes managing a sprawling botnet created by compromising poorly protected small office/home office (SOHO) routers, which they use as a launchpad for other attacks, particularly on US critical infrastructure.
The takedown of Volt Typhoon was first reported this week by Reuters, and the US government was quick to confirm the enforcement action. The FBI designed a remote kill switch to send to routers infected by the “KV Botnet” malware, which was used by the group. The court-authorized operation deleted the malware from the routers and took additional steps to sever their connection to the botnet. The vast majority of routers that comprised the KV Botnet were found to be vulnerable because they had reached ‘end of life’ status and were no longer receiving security patches or software updates from their manufacturers.
As alarming as it may seem, the Feds insisted that they accessed no information and affected no legitimate functions of the routers. Additionally, router owners can clear the mitigations by restarting the devices, although this would make them susceptible to reinfection.
Volt Typhoon is part of a broader Chinese effort to infiltrate utilities, energy-sector companies, military bases, telecom companies, and industrial sites in order to plant foothold malware. This would prepare them for future disruptive and destructive attacks, with the goal of damaging the US ability to respond in the event of a kinetic war over Taiwan or trade issues in the South China Sea.
Despite the disruption to Volt Typhoon’s infrastructure, the attackers themselves remain free, according to Toby Lewis, global head of threat analysis at Darktrace. The US is now aware of China’s strategy and tactics, thanks to the work of organizations like Mandiant Intelligence — Google Cloud. However, Volt Typhoon is known for constantly shifting the source of its activity to stay under the radar and reducing the signatures that defenders use to hunt them across networks.
Regardless, Sandra Joyce, vice president of Mandiant Intelligence — Google Cloud, is confident that the US is adapting to improve collecting intelligence and thwarting this actor. She believes that they are already able to identify and harden the networks that are being targeted by Volt Typhoon.
While the recent operation by law enforcement has disrupted the infrastructure of Volt Typhoon, it’s clear that the group remains a significant and ongoing threat. The US government and cyber defense experts will continue to monitor and adapt to the ever-evolving tactics of this notorious APT.