Cyber-espionage group Volt Typhoon resurfaces globally

The resurgence of Volt Typhoon, a state-sponsored cyber-espionage group from the Asia-Pacific region known for exploiting outdated infrastructure, poses renewed threats to global governments and critical infrastructure.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, stated, "A silent danger is sweeping through the world's critical infrastructure. The SecurityScorecard STRIKE Team has uncovered a resurgence of Volt Typhoon—a state-sponsored cyber-espionage group from the Asia-Pacific region, known for its precision and persistence."

Volt Typhoon's attacks focus on exploiting vulnerabilities in legacy devices such as Cisco RV320/325 and Netgear ProSafe routers. These devices, which are no longer supported by their manufacturers, are used as relay boxes for their operations, creating a covert transfer network that is difficult to detect, especially in sectors still reliant on outdated technology.

The STRIKE Team's investigation revealed that 30% of visible Cisco RV320/325 routers were compromised by Volt Typhoon within just 37 days. The botnet remains concealed by mimicking normal network traffic, making it challenging to uncover and remove, particularly from critical infrastructure, where obsolete technology is still prevalent.

Volt Typhoon's renewed activity dates back to 2019 when vulnerabilities in Cisco routers exposed industries such as energy to potential breaches. By late 2023, the group launched a botnet identified by a self-signed SSL certificate named JDYFJ, leveraging command and control servers located in the Netherlands, Latvia, and Germany.

By October 2023, their network further expanded with a compromised VPN device in New Caledonia, facilitating covert connections between the Asia-Pacific and the Americas. Subsequent global law enforcement actions in early 2024 disrupted parts of the botnet, but Volt Typhoon quickly adapted by setting up new command servers and registering fresh SSL certificates to maintain their operations.

The compromised routers act as digital chameleons, concealing the movement of data within ostensibly routine network operations. Analysts have identified MIPS-based malware resembling Mirai on these devices, employing methods such as port forwarding to maintain undetected communications.

Webshells like fy.sh are implanted strategically in routers, enabling Volt Typhoon to retain remote access and complicate removal efforts. New Caledonia remains a pivotal hub for these operations, bridging traffic between regions silently.

The findings underscore the vulnerabilities inherent in critical infrastructure's dependence on outdated technology and third-party vendors, making them attractive targets for state-sponsored attacks aimed at destabilizing economies by disrupting vital sectors such as energy.

Despite not deploying ransomware directly, Volt Typhoon operates in an ecosystem impacted by the Ransomware-as-a-Service (RaaS) model, where ransom payments funded by cybercriminals enhance their capabilities, posing increased risks exacerbated by reliance on third-party vendors and cloud services.

A SecurityScorecard and KPMG report highlights that third-party breaches account for 45% of incidents in the U.S. energy sector. The report suggests that AI-powered attacks could intensify these threats, stressing the importance of robust cybersecurity measures throughout the supply chain.

International collaboration has been urged since 2023, following an initiative led by the United States and supported by 68 nations, including the G7's commitment to enhancing security in critical sectors such as energy to fight ransomware threats.

Ryan Sherstobitoff concludes, "Volt Typhoon is both a resilient botnet— and a warning. Without decisive action, this silent threat could trigger a critical infrastructure crisis driven by vulnerabilities left unresolved."