US law enforcement has disrupted the infrastructure of the infamous Chinese-sponsored cyberattack group known as Volt Typhoon.
The Advanced Persistent Threat (APT), which the FBI director Christopher Wray said this week is “the defining cyber threat of this era,” he is known for running a large botnet created by compromising poorly secured small office/home office (SOHO) routers. The state-backed group uses it as a springboard for other attacks, particularly against US critical infrastructure, because the distributed nature of the botnet makes it difficult to track activity.
After The Volt Typhoon was reported shot down by Reuters earlier this week, U.S. officials confirmed the enforcement action late yesterday. The FBI mimicked the attacker’s command and control (C2) network to send a remote kill switch to routers infected with the “KV Botnet” malware used by the group, it announced.
“The court-authorized operation eliminated the KV Botnet malware from the routers and took additional steps to disrupt their connection to the botnet, such as blocking communications with other devices used to control the botnet,” according to the FBI statement.
He added that “the vast majority of routers that made up the KV Botnet were Cisco and Netgear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported by manufacturer security patches or other software updates.”
While silently tapping into edge devices owned by hundreds of small businesses might seem alarming, the feds stressed that they had no access to information and did not affect any legitimate functions of the routers. Additionally, router owners can eliminate mitigations by rebooting the devices, even though this would make them susceptible to reinfection.
Volt Typhoon’s industrial rampage will continue
Volt Typhoon (also known as Bronze Silhouette and Vanguard Panda) is part of a broader Chinese attempt to infiltrate utilities, energy companies, military bases, telecommunications companiesand industrial sites in order to implant reference malware, in preparation for disruptive and destructive attacks down the line. The goal is to be able to damage the United States’ ability to respond if a kinetic war breaks out over Taiwan or trade issues in the South China Sea, Wray and other officials warned this week.
It’s growth a move away from China’s usual hacking and espionage operations. “Cyber warfare focused on critical services like utilities and water points to a different ending [than cyber espionage]” says Austin Berglas, global head of professional services at BlueVoyant and former special agent in the FBI’s cyber division. “The focus is no longer on benefit, but on harm and strongholds.”
Given that rebooting the router opens devices up to reinfection, and the fact that Volt Typhoon surely has other ways to launch stealth attacks against its critical infrastructure, the legal action is intended to be only a temporary disruption for the APT – a fact that even the FBI acknowledged in its statement.
“The US government’s actions have likely significantly destroyed Volt Typhoon’s infrastructure, but the attackers themselves remain at large,” Toby Lewis, global head of threat analysis at Darktrace, said via email. “Targeting infrastructure and dismantling attackers’ capabilities usually leads to a period of quiet on the part of actors as they rebuild and retool, which we are likely to see now.”
Even so, the good news is that the United States is now “in tune” with China’s strategy and tactics, says Sandra Joyce, vice president of Mandiant Intelligence – Google Cloud, which worked with the Fed on the disruption. He says that in addition to using a distributed botnet to constantly shift the source of their activity to stay under the radar, Volt Typhoon also reduces the signatures that defenders use to hunt them across networks and avoids the use of any binaries that might persist as indicators of compromise (IoC).
However, “activities like this are extremely difficult to monitor, but not impossible,” says Joyce. “Volt Typhoon’s purpose was to dig silently for a contingency without drawing attention to itself. Fortunately, Volt Typhoon has not gone unnoticed, and while the hunt is challenging, we are already adapting to improve intelligence gathering and counter this actor. We see them coming, we know how to identify them and, most importantly, we know how to strengthen the networks they are targeting.”