Chinese government-backed hackers have infiltrated critical infrastructure networks within the United States for at least the past five years with the goal of launching disruptive or destructive cyberattacks, according to a joint assessment by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).
The agencies warn that the threat actors are strategically positioning themselves within IT networks, ready to execute attacks in the event of a major crisis or conflict with the United States.
US authorities first called out the activity, tracked under the umbrella term “Volt Typhoon,” in May 2023. The hackers employ multiple tactics, including exploiting vulnerabilities in routers, firewalls, and VPNs for initial access to critical infrastructure systems.
Once inside, they utilize stolen administrator credentials to maintain their foothold, enabling them to potentially manipulate vital systems such as heating, ventilation, and air conditioning (HVAC) in server rooms, or disrupt crucial energy and water controls.
Moreover, the hackers have shown a capability to access camera surveillance systems at critical infrastructure facilities, although the extent of their exploitation remains unclear. They employ living-off-the-land techniques, utilizing legitimate tools already present in the target system, to maintain undetected persistence for extended periods.
Additionally, extensive pre-compromise reconnaissance is conducted to evade detection, with hackers refraining from using compromised credentials outside of normal working hours to avoid triggering security alerts.
US intelligence agencies said that Volt Typhoon is just one of several Chinese state-backed cyber actors engaged in such activities but didn’t name other hacking groups involved.
Earlier this month, the FBI and US Department of Justice took down the KV Botnet operated by Volt Typhoon, which had compromised hundreds of US-based routers used by small businesses and home offices.
The law enforcement operation deleted the KV Botnet malware from the routers and severed their connection to the botnet, blocking communications with other devices used to control the botnet.
According to a recent report from Lumen Technologies' Black Lotus Labs team, since the takedown, Volt Typhoon has been attempting to re-build their command and control (C2) structure and return the botnet to working order.
“Over a three-day period from December 8 to December 11, 2023, KV-botnet operators targeted approximately 33% of the NetGear ProSAFE devices on the Internet for re-exploitation, a total of 2,100 individual devices,” the researchers said. “This shift in priorities by the operators appeared to cause rippling effects on the other clusters within KV-botnet, resulting in, for example, a 50% decrease in bots in the scanning and reconnaissance cluster we referred to as “JDY.”
Black Lotus said it disrupted the Chinese hackers' endeavors to revive the botnet by null-routing the attacker's complete C2 and payload server infrastructure over the course of a month, spanning from December 12 to January 12.
“We carefully monitored this space over the month of January 2024 and have not detected any net new C2 servers being activated,” the team said.