A group of hackers backed by the Chinese government, known as Volt Typhoon has taken control of hundreds of routers used in small offices and homes office (SOHO) routers across the United States. Despite the FBI’s best efforts to neutralize this threat in January, the hackers continue to pose a serious risk, compromising the digital security of countless Americans.
How Did Volt Typhoon Emerge?
Volt Typhoon’s strategy involved using a highly malicious software called “KV-botnet,” which was covertly installed on routers in small offices and homes. This allowed the attackers to conduct their operations anonymously, hiding their tracks back to China.
The Department of Justice (DOJ) has expressed serious concerns about these breaches, emphasizing how they granted the People’s Republic of China (PRC) unauthorized access to essential facets of US infrastructure.
Alarmingly, this access has been maintained in some cases for over five years, highlighting a significant lapse in digital security as reported by the US Cybersecurity and Infrastructure Security Agency (CISA).
What Strategy Did Volt Typhoon Use?
The significance of these cyberattacks extends beyond the mere unauthorized access to critical data. Dakota Cary, a nonresident fellow at the Atlantic Council’s Global China Hub and a China-focused consultant at SentinelOne, elaborated on the strategic implications of these operations.
He highlighted the doctrinal difference between the Chinese military’s approach to cyber warfare and that of the rest of the world, especially in targeting infrastructure critical for civilian use with the intent to impact civilians directly. This method of operation not only diverges from international norms but also raises serious ethical and security issues on a global scale.
The Risk to Outdated Technology
According to DOJ’s investigation, the following are the primary victims of these cyberattacks:
- Target Devices: The primary targets were older routers, sometimes outdated routers manufactured by well-known companies such as Cisco and NetGear.
- Vulnerability Reasons: These devices are particularly vulnerable due to:
- Lack of regular software updates
- Absence of the latest security patches
- Ideal Targets: Their outdated nature makes them ideal targets for cybercriminals like Volt Typhoon, who can exploit these weaknesses to gain unauthorized access.
Volt Typhoon’s Current Threat Level
Anne An, a lead threat intelligence researcher at cybersecurity firm Trellix, shed further light on the ongoing nature of the threat posed by Volt Typhoon.
- Emergence and Persistence: Despite Volt Typhoon’s relatively recent emergence in the cyber espionage arena since 2021, the threat they pose remains significant.
- Daily Detection Rates: Trellix, a cybersecurity firm, identifies between 100 to 160 instances of Volt Typhoon’s malicious activities daily, showcasing their active and ongoing nature.
- Comparative Threat Level: This level of activity starkly contrasts with other, more established Chinese advanced persistent threat (APT) groups. For example, some APT groups may see up to 300,000 detections in a single week, highlighting Volt Typhoon’s unique operational footprint.
Are Volt Typhoon’s Operations Becoming More Sophisticated?
Volt Typhoon’s adoption of “living-off-the-land” (LOTL) techniques, which involve the use of legitimate tools within the victim’s environment to evade detection, marks a sophisticated evolution in their operational tactics. Such methods, previously associated with the North Korean state-sponsored Lazarus Group, indicate a mature operational philosophy that prioritizes stealth and deniability.
Cary commented on this evolution, noting its reflection of a broader trend towards operations that are increasingly difficult to detect and attribute, complicating the task of cybersecurity professionals and intelligence agencies in defending against such threats.
A Shift in Cyber Warfare Strategy
Cary also discusses the broader implications of Volt Typhoon’s approach, contrasting their focus on civilian targets with the more accepted practice of targeting military infrastructure in cyber warfare. This distinction highlights a significant ethical divide in the conduct of cyber operations, with potential ramifications for international law and the rules of engagement in digital conflicts.
As China’s cyber intelligence capabilities have grown more sophisticated over the past decade and a half, the activities of groups like Volt Typhoon mark a significant escalation in cyber warfare tactics. This ongoing challenge underscores the urgent need for enhanced cybersecurity measures and international collaboration to defend against the evolving threat of state-sponsored cyber espionage. The continued operations of Volt Typhoon, despite efforts to disrupt their network, remind us of the persistent and sophisticated challenges that nations face in securing their digital frontiers in today’s interconnected world.
Featured image was created with the assistance of DALL·E by ChatGPT