Chinese threat group Volt Typhoon tried to rebuild a sophisticated botnet targeting critical U.S. infrastructure in the weeks after it was dismantled by the FBI, but was foiled by a group of cybersecurity researchers.
The Justice Department announced last week the FBI untethered hundreds of small office/home office (SOHO) routers connected to Volt Typhoon’s KV botnet which it used to conceal internet traffic linked to its malicious activities.
The botnet takedown occurred in December, months after concerns about Volt Typhoon’s stealthy attacks against critical infrastructure were first made public. Researchers at Lumen’s Black Lotus Labs said over the following month they null-routed (blocked) connections between compromised routers and Volt Typhoon’s servers, preventing the botnet being reestablished.
While the demise of the botnet is a victory over the state-sponsored threat group, it has not allayed authorities’ significant concerns about the threat Volt Typhoon poses.
Yesterday U.S. federal agencies and cybersecurity directorates from four other countries revealed new details about the group, including that it had maintained access within some target organizations for at least the past five years.
Gang’s ‘concentrated’ effort to rebuild botnet
In a Feb. 7 post, Lumen’s Black Lotus Labs researchers said they observed “a brief but concentrated period of exploitation activity” in the days after the FBI takedown as Volt Typhoon tried to re-establish its command-and-control (C2) structure and reactive the botnet.
“Over a three-day period from December 8 to December 11, 2023, KV-botnet operators targeted approximately 33% of the NetGear ProSAFE devices on the Internet for re-exploitation, a total of 2,100 individual devices,” the researchers said.
“Despite the botnet operator’s best efforts, Lumen Technologies’ quick null-routing along with the effects of the FBI’s court-authorized action, appear to have had a significant impact on the uptime, breadth, and sustainability of KV-botnet.”
However, the researchers warned Volt Typhoon’s use of compromised routers and firewalls was a tactic they expected threat actors to continue using.
“There is a large supply of vastly out-of-date and generally considered end-of-life edge devices on the internet, no longer eligible to receive patches yet still performing well enough to stay in service for end users,” they warned.
“Attackers will continue to target medium to high-bandwidth devices as a springboard in the geographic areas of their targets, given that users will be unlikely to notice an impact, or to have the necessary monitoring forensic tools to detect an infection.”
Volt Typhoon embedded in target systems for five years
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA), together with several other U.S. agencies and cybersecurity directorates in Canada, the UK, Australia and New Zealand, issued a new warning about Volt Typhoon with mitigation guidance it said all organizations should follow with urgency.
The agencies issued two in-depth advisories on Feb. 7. The first outlined the threats posed by People’s Republic of China (PRC) state-sponsored threat actors, including Volt Typhoon, and how to mitigate them. The second focused on threat actors’ (including Volt Typhoon’s) use of “living off the land” (LOTL) techniques.
“In recent years, the U.S. has seen a strategic shift in PRC cyber threat activity from a focus on espionage to pre-positioning for possible disruptive cyber-attacks against U.S. critical infrastructure,” CISA said in a statement.
The agencies’ first report described LOTL techniques as a hallmark of Volt Typhoon’s malicious activity when targeting critical infrastructure.
“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence,” the report said.
“In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.”
Urgent mitigation steps
The report emphasized three steps organizations should take immediately to mitigate Volt Typhoon activity:
- Apply patches for internet-facing systems and prioritize the patching of critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
- Implement phishing-resistant multi-factor authentication (MFA) security measures.
- Ensure logging is turned on for application, access, and security logs and store logs in a central system.
