The FBI and DOJ are on the offensive against a Chinese hacking group thought to have infiltrated US critical infrastructure, according to a Reuters report citing anonymous officials. “Volt Typhoon” became a priority focus for the US government after Microsoft documented its quiet compromise of thousands of devices, with the aim of having a means of sabotage at hand if war breaks out in Taiwan.
The officials indicated that at least some of the botnet the group uses for attacks has been crippled, though prior analysis by security researchers has concluded that it is essentially “unkillable.” The incident serves as a warning to all organizations to look over old routers, security cameras and similar devices and address any that are past their end-of-life and no longer able to be sufficiently secured.
Volt Typhoon lurking in critical infrastructure, ready for war
The officials did not say to what exact extent the Chinese hacking group’s capacity was diminished, but efforts by US cyber defense teams are apparently ongoing. Microsoft’s May 2023 report on the compromise of critical infrastructure prompted the wave of action, but various other security firms have since been analyzing the group’s activities and issuing warnings about its ongoing attempts to compromise vulnerable internet-facing devices: two very recent reports indicate it is specifically looking for certain Cisco router models and Axis IP cameras.
Though the current campaign against critical infrastructure came to light less than a year ago, Volt Typhoon is thought to have been active since at least mid-2021. It has been more difficult to detect than other state-sponsored Chinese hacking groups due to the seeming specificity of its mission. It does not engage in destructive attacks or even attempts to exfiltrate files for espionage, only working to find soft spots in defenses and settle in to “live off the land” until needed in the event of all-out war with the US.
The group is no doubt skilled, but it very rarely deploys malware or takes an approach that could tip off defenders to its presence. It focuses instead on exploiting documented vulnerabilities in specific devices that allow it to slide into critical infrastructure targets without detection. Therefore, the best defense against this particular threat actor is to not leave these doors open for it.
Chinese hacking group preys on neglected devices
The FBI and DOJ have reportedly received legal authorization to go on the offensive against the Chinese hacking group and remove them from networks. However, the nature of their approach makes it impossible to entirely box them out of critical infrastructure. So long as organizations are using legacy devices that cannot be properly secured, they will have openings.
Should a war break out over the fate of Taiwan, the group is expected to disrupt power and internet to military installations in the Pacific by way of these footholds it has established. There is some indication it may also try for attacks in the mainland US as well, hoping to erode popular support for the war with random critical infrastructure outages.
The group’s primary weapon is called the KV-Botnet, which is comprised of likely thousands of compromised devices and is used for command-and-control. Its activity highlights the need for vigilance in keeping an updated inventory of outdated and known vulnerable devices, particularly in organizations that could serve as a pathway to a critical infrastructure target.