The US Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners released a security advisory for critical infrastructure organizations highlighting dangers posed by a Chinese state-sponsored threat actor known as ‘Volt Typhoon.’
In February 2024, the FBI and US Department of Justice took down the KV Botnet operated by Volt Typhoon, which had compromised hundreds of US-based routers used by small businesses and home offices.
The law enforcement operation deleted the KV Botnet malware from the routers and severed their connection to the botnet, blocking communications with other devices used to control the botnet. Since the takedown, Volt Typhoon has been attempting to re-build their command and control (C2) structure and return the botnet to working order, but with no success.
While Volt Typhoon has been observed since early 2023, there are indications that the group may have been active as far back as 2021, with potential overlaps with another threat group known as Kostovite, a threat actor observed targeting the industrial sector in North America and Australia. This group has overlaps with UNC2630, a Chinese-speaking cyber threat group, and is associated with 12 malware families.
Volt Typhoon employs various techniques to gain access to targeted organizations' networks. To gain access to the victim network, the group compromises external network perimeter applications and assets such as SOHO routers and virtual private network gateways, (Fortinet FortiGuard, PRTG Network Monitor appliances, FatePipe WARP, Ivanti Connect Secure VPN, Cisco ASA, and ManageEngine ADSelfService Plus). Once within the target’s network, the attackers leverage LOTL techniques and stolen credentials to move through the network.
The agencies published a fact sheet to help owners and operators of critical infrastructure entities prioritize the protection of critical infrastructure and functions.
The guidance provides actionable guidance for leaders to empower their cybersecurity teams, secure their supply chains, and drive a culture of cybersecurity within their organizations.
