Volt Typhoon Cybercrime Group Resumes Operations Targeting U.S
/ 4 min read
Quick take - The Volt Typhoon cybercrime group from China has resumed operations, exploiting outdated Cisco routers to infiltrate U.S. critical infrastructure networks, raising concerns among security researchers following a previous disruption by the FBI.
Fast Facts
- China’s Volt Typhoon cybercrime group has resumed operations, exploiting outdated Cisco and Netgear routers to infiltrate U.S. critical infrastructure networks.
- The group was previously disrupted by the FBI, which remotely wiped its botnet about ten months ago, but has returned with enhanced sophistication.
- Security researchers report that 30% of visible Cisco RV320/325 routers were compromised within 37 days of Volt Typhoon’s renewed activity, highlighting the risks of using end-of-life devices.
- Recent investigations revealed Volt Typhoon’s breach of Singapore Telecommunications, indicating potential future attacks on U.S. telecom companies.
- There has been a notable increase in Chinese cyber espionage activities, with Volt Typhoon and other groups like Salt Typhoon targeting U.S. networks and infrastructure.
China’s Volt Typhoon Cybercrime Group Resumes Operations
China’s Volt Typhoon cybercrime group has resumed its operations, exploiting outdated Cisco routers to infiltrate critical infrastructure networks in the United States. Security researchers have raised alarms about this resurgence, as Volt Typhoon had previously been disrupted by the FBI approximately ten months prior. The agency infiltrated the group and remotely wiped its botnet.
Recent Activities and Vulnerabilities
The U.S. Department of Justice reported that Volt Typhoon had compromised numerous legacy Cisco and Netgear devices with malware. The group has been targeting critical organizations in the U.S. since at least 2021. Recent investigations revealed that Volt Typhoon had conducted a preliminary test by breaching Singapore Telecommunications, potentially signaling future attacks on U.S. telecommunications companies.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, noted that the group has returned with enhanced sophistication. The SecurityScorecard STRIKE Team identified that Volt Typhoon is specifically exploiting outdated Cisco RV320/325 routers and Netgear ProSafe routers. Notably, 30% of visible Cisco RV320/325 routers were compromised within just 37 days of the group’s renewed activity. The routers in question are considered end-of-life and do not receive security updates, exacerbating their vulnerability and increasing the risk of exploitation of existing flaws.
Ongoing Threats and International Implications
After the botnet disruption, a limited number of compromised devices were detected, and changes in command and control servers were observed. Despite the ongoing threats, the FBI has yet to comment on Volt Typhoon’s resurgence, and the Cybersecurity and Infrastructure Security Agency (CISA) did not respond to inquiries regarding the situation.
Volt Typhoon’s botnet was initially identified in 2023, with Microsoft and Five Eyes intelligence agencies disclosing access to U.S. critical infrastructure networks. The botnet employed a self-signed SSL certificate, labeled JDYFJ, and operated command-and-control infrastructure located in the Netherlands, Latvia, and Germany. By October 2023, Volt Typhoon was utilizing a compromised VPN device in New Caledonia to maintain covert connections between the Asia-Pacific region and the Americas.
In January 2024, following an FBI-led initiative, some of Volt Typhoon’s infrastructure was disrupted. However, the group quickly established new command and control servers, and the botnet continues to function, routing global traffic through the JDYFJ cluster, with active connections from New Caledonia.
In recent months, there has been a notable uptick in Chinese cyber espionage activities targeting U.S. and global networks, underscored by both government officials and private security firms. In June, Volt Typhoon reportedly breached Singtel’s networks, employing a web shell during the incident. In August, the group exploited a Versa SD-WAN vulnerability to deploy credential-harvesting web shells. Additionally, in September, another Chinese government-backed group, Salt Typhoon, was accused of breaching U.S. telecom providers’ infrastructure. The FBI also disclosed that international law enforcement had disrupted a separate botnet operated by a different Beijing-linked group, Flax Typhoon, which targeted U.S. critical infrastructure and government entities.
Original Source: Read the Full Article Here
