beebright - stock.adobe.comNewsChinas Volt Typhoon rebuilds botnet in wake of takedownNine months after its malicious botnet comprising legacy routers was disrupted by the Americans, Chinese APT Volt Typhoon is rebuilding and presents as persistent a threat as everByAlex Scroxton,Security EditorPublished: 13 Nov 2024 16:06 The Chinese state threat actor most famously known as Volt Typhoon is staging a significant comeback after its botnet infrastructure was disrupted in a US-led takedown at the beginning of February 2024.Volt Typhoons malicious botnet comprised hundreds of Cisco and Netgear small and home office (SOHO) routers that had reached end-of-life (EOL) status and thus were no longer receiving security updates.The threat actor infected these devices with KV Botnet malware and used them to obfuscate the origins of follow-on hacks targeting critical national infrastructure (CNI) operations in the US and elsewhere.Now, nine months on, threat analysts from SecurityScorecard say that they have observed signs that Volt Typhoon is not only back in business, but is more sophisticated and determined than ever.SecurityScorecards Strike team has been poring over millions of data points collected from the organisations wider risk management infrastructure, and has determined that it is now adapting and digging in after licking its wounds in the wake of the takedown.The Strike Teams discoveries highlight the expanding threat posed by Volt Typhoon. As the botnet spreads and its tactics deepen, governments and corporations must urgently address weaknesses in legacy systems, public cloud infrastructures, and third-party networks, said SecurityScorecard senior vice-president of threat research and intelligence, Ryan Sherstobitoff.Volt Typhoon is both a resilient botnet and a warning. Without decisive action, this silent threat could trigger a critical infrastructure crisis driven by vulnerabilities left unresolved.In recent months Volt Typhoon has stood up new command servers using hosting services such as Digital Ocean, Quadranet and Vultr, and registered fresh SSL certificates to evade the authorities.The group has continued to exploit legacy vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers. Sherstobitoff revealed that the operation was able to compromise 30% of the worlds visible Cisco RV320/325s in the space of just one month.The Strike Teams deep investigation has exposed Volt Typhoons complex network built on compromised SOHO and EOL devices. This group has weaponised outdated routers on a global scale, weaving layers of obfuscation that mask their presence and make detection exceptionally difficult, said Sherstobitoff.These compromised routers act as digital chameleons, facilitating the covert movement of data while mimicking normal network traffic. Analysts have identified MIPS-based malware on these devices, similar to Mirai, engineered to establish covert connections and communicate via port forwarding over 8443. This method keeps Volt Typhoons command operations off the radar, even for seasoned cyber security teams.Webshells, such as fy.sh, are strategically implanted in routers, allowing Volt Typhoon to maintain persistent access and secure remote control. The attack doesnt just hide it integrates seamlessly into routine network operations. The result? A resilient foothold, particularly within governmental and critical infrastructure sectors, that camouflages malicious activities and complicates any clean-up efforts, he said.As of September 2024, its new botnet cluster was observed routing traffic worldwide, much of it transiting through a compromised virtual private network (VPN) device which is acting as a silent bridge between Asia-Pacific and the US.This device is determined to be located somewhere in New Caledonia, a French island in the South Pacific Ocean, about 750 miles northwest of Queensland, Australia. By placing its hub in a location considered to be part of France though New Caledonias legal status as a sui generis overseas territory is both complex and controversial Volt Typhoon may be able to avoid additional scrutiny and extend the reach of its botnet even further.Sherstobitoff warned that CNI operators still presented an attractive target for Chinese state-sponsored attackers thanks to their essential role in economic stability, while the sectors lingering dependence on legacy technology is creating a perfect storm for disruption.He added that many third-party tech suppliers themselves lack robust defences, offering advanced persistent threat (APT) actors such as Volt Typhoon easy entry points.Read more about Volt TyphoonLumen Technologies researchers have observed Volt Typhoon exploitation of CVE-2024-39717 against four US organisations in the ISP, MSP and IT sectors.A panel of experts at RSA Conference 2024 discussed Volt Typhoon and warned the Chinese nation-state threat group is still targeting and compromising organisations.GCHQ director Anne Keast-Butler uses her first major public speech to warn that China poses a significant cyber security threat to the UK.In The Current Issue:Interview: Niall Robinson, head of product innovation, Met OfficeIAM: Enterprises face a long, hard road to improveDownload Current IssueHow enterprises can improve ROI on AI investments Data MattersHow To "Vawlt" Superclouds Networks GenerationView All Blogs