China’s Volt Typhoon rebuilds botnet in wake of takedown

The notorious Chinese state threat actor known as Volt Typhoon is making a strong comeback following a disruption of its botnet infrastructure in a US-led takedown in February 2024.

Volt Typhoon’s malicious botnet consisted of hundreds of Cisco and Netgear small and home office (SOHO) routers that had reached end-of-life (EOL) status, rendering them vulnerable as they no longer received security updates.

The threat actor infected these routers with KV Botnet malware to mask the source of subsequent hacks targeting critical national infrastructure (CNI) operations in the US and other countries.

After nine months, SecurityScorecard’s threat analysts have observed that Volt Typhoon is back in action and appears to be more sophisticated and determined than ever.

The Strike Team at SecurityScorecard has analyzed vast amounts of data from their risk management infrastructure and concluded that Volt Typhoon is evolving and strengthening its operations following the setback.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, emphasized the growing threat posed by Volt Typhoon and the urgent need for governments and corporations to address vulnerabilities in legacy systems, public cloud infrastructures, and third-party networks.

Volt Typhoon has recently set up new command servers using hosting services like Digital Ocean, Quadranet, and Vultr, and has obtained fresh SSL certificates to evade detection by authorities.

The group continues to exploit vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers, compromising a significant number of these devices globally within a short period.

Sherstobitoff revealed that Volt Typhoon’s complex network is built on compromised SOHO and EOL devices, using outdated routers to conceal their activities and make detection challenging.

He explained that the group employs MIPS-based malware similar to Mirai on these devices to establish covert connections and communicate through port forwarding over 8443, effectively concealing their command operations.

As of September 2024, Volt Typhoon’s new botnet cluster was observed routing traffic worldwide, with a compromised VPN device acting as a bridge between Asia-Pacific and the US, located in New Caledonia.

Sherstobitoff warned that CNI operators remain prime targets for Chinese state-sponsored attackers due to their crucial role in economic stability, exacerbated by their reliance on legacy technology, creating vulnerabilities for disruption.

He noted that many third-party tech suppliers lack robust defenses, providing APT actors like Volt Typhoon with easy entry points.