China's Volt Typhoon Found Lurking in Critical Infrastructure for Years

On Feb. 7, the Cybersecurity and Infrastructure Security Agency (CISA), along with other US government agencies and government agencies in Australia, Canada, the UK, and New Zealand, released a cybersecurity advisory on Volt Typhoon, a People’s Republic of China (PRC) state-sponsored actor. The hacking group has maintained persistent access to some its critical infrastructure victims for at least five years, according to the advisory.

This insight into Volt Typhoon’s activity comes about a week after the US Department of Justice announced that a court-authorized operation disrupted the group’s KV Botnet. As nation state threat actor activity continues, what do security leaders need to know about this particular group, the recent takedown operation, and the outlook for continuing threats?

Volt Typhoon’s Activity

Volt Typhoon has a history of targeting critical infrastructure organizations. “Water treatment facilities, power plants, nuclear, you name it. If it's critical infrastructure, they want it,” Greg Hatcher, CEO of cybersecurity consultancy White Knight Labs, tells InformationWeek. The group has compromised critical infrastructure organizations in the continental US, non-continental US and US territories, like Guam, according to the cybersecurity advisory.

Related:Expect the Unexpected: How to Reduce Zero-Day Risk

“They have tended to use a lot ... more living off the land or hands-on keyboard techniques,” says Rob Ames, a staff threat researcher at SecurityScorecard, a cybersecurity ratings company. “Once they're on a network, [they are] doing … manual work to conduct the compromises or then collect information, rather than activity generated by malware, which might be faster but also perhaps have more giveaways of its activity.”

These stealthy tactics could account for the relatively small number of detections associated with Volt Typhoon compared to other PRC-backed actors, such as APT10. “If you pull week-long data on APT10, it can easily be like 200,000 detections across the world. And for Volt Typhoon, we're only seeing maybe like 1,000, 2,000 detections,” shares Anne An, a threat intelligence researcher at cybersecurity company Trellix.

Volt Typhoon roped hundreds of small office/home office (SOHO) routers into its KV Botnet. The botnet served as concealment of its PRC origins, as it went after victim organizations. The majority of the routers in the botnet were end-of-life Cisco and NetGear routes, according to the cybersecurity advisory.

The Takedown Operation

The court-authorized operation took place in December 2023. The operation “... deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” according to the Justice Department press release.

Related:Understanding the Ransomware Attack Fallout on China’s ICBC

The Department of Justice and the Federal Bureau of Investigation (FBI) worked with private sector partners to carry out the operation.

“This is the time when the private and public sector experts try to work together to figure out ways to mitigate, to protect … our systems and even to predict threats to … figure out what to do next,” says An.

On Feb. 7, Lumen Technologies’ Black Lotus Labs reported findings on the KV Botnet, including attempts by the group revive the botnet. It appears that the takedown operation, as well as “Lumen Technologies’ quick null-routing,” has had a noticeable impact.

“We believe that the main arm of the botnet, the KV cluster, has been rendered inert due to the action of US law enforcement,” according to the report.

The operation has thwarted some if the group’s activity, but the actors behind Volt Typhoon have not been caught. Yet, there is value in disrupting threat actors like this.

“Ultimately, while potentially only short-lived, this takedown operation raises the cost to the attackers,” Toby Lewis, global head of threat Analysis at cybersecurity company Darktrace, shares in an email interview. “It forces them to scrap potentially years of technical investment and development, and in the case of active operations, forces them to abandon any footholds they may have claimed.”

Related:What CISOs Need to Know About Nation-State Actors

Ongoing Threats

While Volt Typhoon hit a snag with the disruption of the KV botnet, it and other nation state threat actors are likely to continue targeting critical infrastructure. “China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” FBI Director Christopher Wray said in the Justice Department press release.

An stresses the importance of operational technology (OT) security. “[We] just assume it runs and all it has to do is to run, to function, like the water system, utility system, but when it becomes a weapon in event of conflict … that becomes a pretty big problem,” she says.

Volt Typhoon has shown itself to be adept at avoiding detection. “That may … mean that it has a lot of compromised routers or other network edge devices at its disposal,” Ames points out. The group has also proven to be adaptable; it could pivot to target other vulnerable devices.

“The challenge for security teams then is there is often a lag between a new capability being released, and it being detected by threat intelligence-led systems,” says Lewis. “This blind spot underscores the importance of anomaly-based threat detection solutions that can detect subtle, emerging, and novel threats and take targeted action without relying on knowledge of the attacker's specific systems.”

In the cybersecurity advisory, CISA recommends patching appliances known to be exploited by Volt Typhoon, implementing phishing-resistant multi-factor authentication, and turning on logging for application, access and security logs and store logs.

Inventorying devices to discover end-of-life equipment is an important step critical infrastructure organizations can take, but it can be difficult when many of these organizations lack security talent and resources. But there are free resources that organizations can use to scan their networks for exposed devices.

“Organizations [can] start there … for trying to identify and then hopefully remove and replace potentially vulnerable devices on their own network,” says Ames. “And that could further diminish Volt Typhoon’s capacities, just by reducing the tools available to them.”