Share this article on:
A joint advisory released by the Five Eyes information-sharing alliance has revealed that the Chinese state-sponsored hacking group Volt Typhoon may have had access to critical infrastructure providers’ IT networks for at least five years.
The advisory, which was published by the US Cybersecurity and Infrastructure Security Agency (CISA), outlined the actions of state-sponsored hacking groups connected to the People’s Republic of China (PRC) in attempting to inject themselves into US critical infrastructure environments and disrupt their operations in the event of a conflict.
“CISA, NSA, FBI [as well as US critical infrastructure agencies and the Five Eyes alliance] … are releasing this advisory to warn critical infrastructure organisations about this assessment, which is based on observations from the US authoring agencies’ incident response activities at critical infrastructure organisations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus),” the release said.
Volt Typhoon is known for targeting critical infrastructure sites and operators and for notoriously using living-off-the-land (LOTL) techniques in its attacks.
These are fileless attack techniques that leverage the capabilities of legitimate and already installed programs like PowerShell and Windows Management Instrumentation.
This makes them much harder to detect as the activity looks significantly more like standard and legitimate operations. As a result, threat actors are able to sit in a victim’s network environment for long periods of time.
This allows them to probe and shape a profile of an organisation, aiding in future, timely attacks.
The group had developed a botnet of compromised network devices, such as unsecured routers, to deploy these attacks.
“As the authoring agencies have previously highlighted, the use of living-off-the-land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure,” the release said.
“The group also relies on valid accounts and leverages strong operational security, which, combined, allows for long-term undiscovered persistence.
“In fact, the US authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.
“Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organisation and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”
Additionally, the US believes that groups like Volt Typhoon are setting up to launch serious disruptive cyber attacks during potential future conflicts.
“Volt Typhoon’s choice of targets and pattern of behaviour is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the advisory added.
“The US authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”
These concerns were raised last year when Microsoft identified a campaign targeting critical infrastructure in Guam and the mainland US operated by Volt Typhoon.
One of the targets of the Volt Typhoon botnet as part of this campaign was a critical infrastructure operator located on the US territory of Guam, leading officials to believe that the group may launch an attack on the operator, disrupting military capabilities as tensions between China and the US grow over Taiwan.
The US CISA and Five Eyes release recommends several mitigations, such as to “apply patches for internet-facing systems within a risk-informed span of time” and to “use third-party assessments to validate current system and network security compliance”.
“The authoring agencies recommend organisations implement the mitigations below to improve your organisation’s cyber security posture on the basis of Volt Typhoon activity,” said the release.
Volt Typhoon has been a significant target for the FBI, which successfully took down the group’s botnet. Volt Typhoon is trying and failing to revive it.
The FBI secured a warrant to take down the botnet on 6 December 2023, before taking control of one of the group’s command-and-control servers to cut the hackers’ access to the botnet devices.
Now, reports have suggested that the group is trying and failing to revive the botnet, with the Black Lotus Labs team at Lumen Technologies saying that the hacking group conducted an attack to infect 3,045 devices, including a third of the world’s internet-exposed NetGear ProSAFE routers.
This led to the infection of 630 devices.
“We observed a brief but concentrated period of exploitation activity in early December 2023, as the threat actors attempted to re-establish their command and control (C2) structure and return the botnet to working order,” said the Black Lotus Labs team.
“Over a three-day period from December 8 to December 11, 2023, KV-botnet operators targeted approximately 33 per cent of the NetGear ProSAFE devices on the Internet for re-exploitation, a total of 2,100 distinct devices.”
The Black Lotus Labs team added that it thwarted Volt Typhoon’s revival efforts through null-routing Volt Typhoon’s C2 and payload server from 12 December to 12 January.
“Despite the botnet operator’s best efforts, Lumen Technologies’ quick null-routing, along with the effects of the FBI’s court-authorised action, appear to have had a significant impact on the uptime, breadth, and sustainability of KV-botnet,” it said.
Additionally, the US Department of Justice, in tandem with the FBI, has launched a campaign to take down a Chinese hacking campaign targeting US critical infrastructure, in which Volt Typhoon plays a vital role.
China has previously responded to Five Eyes’ Volt Typhoon accusations, saying that they are part of a US scheme to mobilise Five Eyes against it.
“Obviously, this is a collective disinformation campaign by the United States to mobilise the Five Eyes countries for geopolitical purposes,” said Mao Ning, a spokesperson for the nation’s foreign ministry following the initial Microsoft reports back in May 2023.
“It is a report that has … a serious lack of evidence and is extremely unprofessional.
“As we all know, the Five Eyes is the world’s largest intelligence organisation and the NSA is the world’s largest hacker organisation, and it is ironic that they have joined forces to issue disinformation reports.”