Feds Reportedly Try to Disrupt 'Volt Typhoon' Attack Infrastructure

The China-linked threat actor's attacks on US critical infrastructure organizations have alarmed American intelligence officials, Reuters says.

3 Min Read
American and Chinese flags on computer keyboard
Source: Weitwinkel via Shutterstock

The US government, in collaboration with private sector stakeholders, has been quietly working to disrupt the attack infrastructure of "Volt Typhoon," a dangerous China-linked threat group associated with numerous attacks targeted at US critical infrastructure since at least mid-2021.

Reuters, citing multiple unnamed sources, on Jan. 30 reported the activity as involving attempts by the US to remotely disable aspects of the Chinese operation over the past few months. The US Department of Justice and the FBI are spearheading the effort after seeking and obtaining legal authorization, according to Reuters.

Remote Disruption

The disruption efforts reportedly stem from growing anxiety within the US intelligence community about widespread hacking activity — including ransomware — by China-linked groups in general and Volt Typhoon in particular. "Volt Typhoon has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, Internet service providers, and utilities," Reuters said.

The big concern is that the threat actor is helping lay the groundwork for capabilities that would let China disrupt capabilities in the Indo-Pacific region that support or service US military operations in the area. "Sources said US officials are concerned the hackers were working to hurt US readiness in case of a Chinese invasion of Taiwan," Reuters said.

Microsoft, one of the first to publicly report on Volt Typhoon last May, has similarly concluded that the threat actor's objective is to develop capabilities that would allow it to disrupt communications infrastructure between the US and the Asian region during a future crisis. The group's victims have included organizations in the communications, transportation, maritime, government, utility, and information technology sectors.

Microsoft has described Volt Typhoon as putting a strong emphasis on stealth by, for example, almost exclusively using legitimate tools, living-off-the-land techniques, and hands-on keyboard activity in its attacks. The group also has often tried to blend its malicious presence into normal network activity by using compromised small office and home office (SOHO) network devices to route its traffic. "Observed behavior suggests that the threat actor intends to perform espionage and maintain access without being detected for as long as possible," Microsoft said.

In December 2023, researchers at Lumen identified Volt Typhoon as one among several Chinese threat groups using a large SOHO botnet, dubbed KV-Botnet, as command-and-control (C2) infrastructure in attacks against high-value targets. Lumen assessed the botnet — composed largely of legacy Cisco, DrayTek, and Netgear routers — as something that Volt Typhoon likely used in attacks against an Internet service provider, two telecommunications firms, and a US government agency in Guam.

More recently, SecurityScorecard reported observing Volt Typhoon attempting to compromise end-of-life Cisco RV320 routers and make them part of its growing C2 botnet.  As part of the campaign SecurityScorecard researchers observed Volt Typhoon dropping a hitherto unknown — and as yet unanalyzed — Web shell dubbed fy.sh on compromised systems.

According to Reuters, the US government has asked several unnamed cloud computing companies, telecommunications firms, and private technology companies for their assistance in tracking and taking down Volt Typhoon activity. Officials from the White House have met with leaders from private sector stakeholder organizations, Reuters said, to discuss plans for disrupting Volt Typhoon activities.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights