The US government has taken action against a Chinese hacking operation that infiltrated thousands of internet-connected devices, Reuters reported.
According to sources close to the matter, the US Department of Justice and the Federal Bureau of Investigation (FBI) have obtained legal authorization to remotely disable certain aspects of the Chinese hacking campaign.
The hacking group at the center of this operation, known as Volt Typhoon, has raised alarms among intelligence officials due to its involvement in a broader effort to compromise critical Western infrastructure, including targets such as naval ports, internet service providers, and utilities.
The Volt Typhoon campaign, first uncovered in May 2023, targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The threat actor gained initial access to the victims’ networks via internet-facing Fortinet FortiGuard devices, although it’s unclear how the threat actor breached the devices in the first place. Once in the network, the group obtained credentials to an Active Directory account used by the device and compromised other devices in the network.
The attacker has been observed proxying all its network traffic to its targets via compromised SOHO network edge devices, including ASUS, Cisco, D-Link, NETGEAR, and Zyxel products.
Recent developments indicate an expansion of Volt Typhoon operations and alterations to their hacking techniques, as reported by three individuals familiar with the matter.
The widespread nature of these cyberattacks has prompted a series of meetings between the White House and key players in the private technology industry, including telecommunications and cloud computing companies. During these discussions, the US government sought assistance in tracking and mitigating the malicious activities of Volt Typhoon.
National security experts have expressed concern that the breaches could empower China to remotely disrupt crucial facilities in the Indo-Pacific region, ultimately affecting US military operations. Officials fear that the hacking group may be working to undermine US readiness in the event of a potential Chinese invasion of Taiwan, the report said.
Earlier this month, cybersecurity researchers identified new infrastructure associated with Volt Typhoon. Approximately 30% of Cisco RV320/325 devices observed over a 37-day period may have been compromised by Volt Typhoon, leveraging well-known vulnerabilities (CVE-2019-1653, CVE-2019-1652) in Cisco routers, as well as 35 known vulnerabilities for the Dual Gigabit Wan VPN Router Firmware.
Researchers discovered evidence of a previously unspecified webshell called ‘fy.sh’ on Cisco routers and other network edge devices targeted by Volt Typhoon, revealing another web shell in addition to the well-known China Chopper. There is evidence that the hackers may have compromised devices belonging to the US, UK, and Australian governments.