Feds Reportedly Try to Disrupt 'Volt Typhoon' Attack Infrastructure

The US government, in collaboration with private sector stakeholders, has been quietly working to disrupt the attack infrastructure of "Volt Typhoon," a dangerous China-linked threat group associated with numerous attacks targeted at US critical infrastructure since at least mid-2021.

Reuters, citing multiple unnamed sources, on Jan. 30 reported the activity as involving attempts by the US to remotely disable aspects of the Chinese operation over the past few months. The US Department of Justice and the FBI are spearheading the effort after seeking and obtaining legal authorization, according to Reuters.

Remote Disruption

The disruption efforts reportedly stem from growing anxiety within the US intelligence community about widespread hacking activity — including ransomware — by China-linked groups in general and Volt Typhoon in particular. "Volt Typhoon has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, Internet service providers, and utilities," Reuters said.

The big concern is that the threat actor is helping lay the groundwork for capabilities that would let China disrupt capabilities in the Indo-Pacific region that support or service US military operations in the area. "Sources said US officials are concerned the hackers were working to hurt US readiness in case of a Chinese invasion of Taiwan," Reuters said.

Microsoft, one of the first to publicly report on Volt Typhoon last May, has similarly concluded that the threat actor's objective is to develop capabilities that would allow it to disrupt communications infrastructure between the US and the Asian region during a future crisis. The group's victims have included organizations in the communications, transportation, maritime, government, utility, and information technology sectors.

Microsoft has described Volt Typhoon as putting a strong emphasis on stealth by, for example, almost exclusively using legitimate tools, living-off-the-land techniques, and hands-on keyboard activity in its attacks. The group also has often tried to blend its malicious presence into normal network activity by using compromised small office and home office (SOHO) network devices to route its traffic. "Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible," Microsoft said.

In December 2023, researchers at Lumen identified Volt Typhoon as one among several Chinese threat groups using a large SOHO botnet, dubbed KV-Botnet, as command-and-control (C2) infrastructure in attacks against high-value targets. Lumen assessed the botnet — composed largely of legacy Cisco, DrayTek, and Netgear routers — as something that Volt Typhoon likely used in attacks against an Internet service provider, two telecommunications firms, and a US government agency in Guam.

More recently, SecurityScorecard reported observing Volt Typhoon attempting to compromise end-of-life Cisco RV320 routers and make them part of its growing C2 botnet.  As part of the campaign SecurityScorecard researchers observed Volt Typhoon dropping a hitherto unknown — and as yet unanalyzed — Web shell dubbed fy.sh on compromised systems.

According to Reuters, the US government has asked several unnamed cloud computing companies, telecommunications firms, and private technology companies for their assistance in tracking and taking down Volt Typhoon activity. Officials from the White House have met with leaders from private sector stakeholder organizations, Reuters said, to discuss plans for disrupting Volt Typhoon activities.