Skip to content

US Advisory Warns of Volt Typhoon’s Threat


Published:

In a recent joint advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and international security agencies have sounded the alarm on Volt Typhoon, a state-sponsored advanced persistent threat group linked to the People’s Republic of China. This advisory highlights the group’s intent to exploit vulnerabilities in critical US infrastructure, potentially disrupting vital services and delaying US intervention in times of crisis or conflict. In this week’s Cyber Security Insights we dive into the topic even more.

On February 7, 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) and other international security agencies jointly issued an advisory on Volt Typhoon, a People’s Republic of China state sponsored advanced persistent threat group. The advisory warned that Volt Typhoon had pre-positioned themselves using living of the land (LOTL) techniques for disruptive or destructive cyber activity against US critical infrastructure in the event of a major crisis or conflict with the United States. Accordingly, the advisory provides actionable information to help organizations to recognize Volt Typhoon attack methodology, apply mitigation measures, and guidance to track malicious cyber activity.

Figure 1. Cover of Cyber Security Advisory (PDF)

About the advisory

The advisory, issued jointly by CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI) and Five Eyes (a framework for sharing sensitive information among intelligence agencies in the United States, the United Kingdom, Canada, Australia, and New Zealand), warns critical infrastructure organizations of the threat of a Volt Typhoon cyberattack. The advisory states the group is preparing ahead of time to carry out serious cyberattacks in the event of a major military crisis or conflict. In such activities, undetected intrusions have been observed on US critical infrastructure networks for more than five years. The group’s activities reflect China’s ambitions during any future emergencies, and the US government has become increasingly alarmed at the growing threat to its national security.

The head of the US intelligence service warned of the threat, telling Congress that if China invaded Taiwan, a cyberattack could compromise critical infrastructure supporting US military operations and wreak havoc causing real world harm. At the same time, national advisories described the threat of Volt Typhoon attacks on critical infrastructure in their countries, aiming to reduce the risk and impact of breaches.

Who is Volt Typhoon?

Volt Typhoon is a Chinese APT group (a group who, with the support of the state, carry out sophisticated and continuous cyberattacks). Since the middle of 2021, Volt Typhoon has been targeting critical infrastructure such as communications, energy, water and wastewater systems, and transportation systems in Guam and the continental United States. Volt Typhoon became known in May 2023 when Microsoft warned of activity targeting critical infrastructure. The group is believed to be laying the groundwork for cyberattacks to disrupt or shut down critical US infrastructure and US military operations in the event of a future conflict, while using sophisticated techniques to avoid detection.

Volt Typhoon Techniques

Volt Typhoon attempts to gain initial access to critical infrastructure organizations’ IT environments by exploiting known or zero-day vulnerabilities in public facing network appliances (e.g routers, virtual private networks and firewalls). If successful, Volt Typhoon attempts to obtain administrative credentials within the network by exploiting privilege escalation vulnerabilities in operating systems or network services.

A key technique of Volt Typhoon is Living off the Land (LOTL) to avoid detection. LOTL uses or mimics legitimate software and functions available on systems making it difficult to detect. In addition, it conducts extensive reconnaissance to learn about the targets organization’s network architecture and operational protocols allowing them to adjust tactics, techniques, and procedures (TTP) according to their findings. CISA confirmed that Volt Typhoon was secretly accessing and hiding for as long as five years using these methods.

Volt Typhoon were observed testing access to Operational Technology (OT) assets and in some cases had the capability to access camera surveillance systems at critical infrastructure monitoring systems, CISA analysis confirmed that Volt Typhoon is targeting access to operational technology (OT) equipment involved in controlling critical infrastructure equipment.

FBI disrupt KV Botnet

Volt Typhoon used vulnerable small office and home office (SOHO) devices exposed to the Internet (used in small businesses or home offices) to form the KV Botnet. These compromised devices were then used to form a covert data transfer network supporting various Chinese state-sponsored actors including Volt Typhoon. The devices were primarily vulnerable products from Cisco and NetGear that were no longer supported by their manufacturers therefore could no longer be updated.

On January 31, 2024, the FBI announced that it had obtained a court approval to remove KV Botnet from US based SOHO devices in an attempt to disrupt the botnet. The FBI removed KV Botnet malware and took additional steps to sever their connection to the botnet such as blocking communication with other devices used to control the botnet.

On the same day, CISA and the FBI also issued guidance for manufacturers of SOHO devices to eliminate the path threat actors such as Volt Typhoon leverage, including guidance on how to eliminate exploitable vulnerabilities during product design and development and to adjust default device configurations.
There have been numerous cases of various Chinese groups, including APT41, APT31, APT15, and TEMP.Hex, using IoT devices, smart devices, and routers to build botnets. Looking back over the past 10 years, we can see that Chinese groups have adopted methods to build botnets for nefarious purposes, such as cyber espionage, and have evolved their attacks into stealthy ones.

Summary

The Chinese state is behind Volt Typhoon, and the group appears to be aiming to delay or disrupt US intervention in the event of a major crisis or conflict in the future by conducting stealthy attacks on critical US infrastructure. To this end, it attempts to maintain access to critical infrastructure for a long time while avoiding detection. The goal is to be able to immediately shut down and control these critical resources while planning for further attacks in the future.

According to the CISA advisory, Guam was one of the targets of Volt Typhoon. Guam is an important military hub in East Asia and the Western Pacific for U.S. forces that are ready to respond in the event of Chinese military action. Depending on the political situation surrounding Taiwan, the situation could change rapidly, and there are legitimate concerns about the future of this group. It is vitally Important that infrastructure organizations prepare for future risks and act in accordance with this advisory.

About our Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read more Cyber Security Insights here.

Sources:


Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.