Volt Typhoon, a Chinese state-sponsored threat actor, is resurging after its botnet infrastructure was disrupted in a U.S.-led takedown in February 2024. Previously, the botnet leveraged outdated Cisco and Netgear routers, which had reached end-of-life (EOL) status and no longer received security updates.
These routers were infected with KV Botnet malware, enabling Volt Typhoon to obfuscate its attacks on critical national infrastructure (CNI) operations in the U.S. and abroad. Despite the takedown, threat analysts from SecurityScorecard have observed that the Volt Typhoon is back, more sophisticated and persistent than before.
SecurityScorecard’s research reveals that Volt Typhoon has adapted and regrouped after the takedown, expanding its operations. The threat actor’s tactics have evolved, and it is increasingly targeting legacy systems, public cloud infrastructures, and third-party networks, which remain vulnerable.
SecurityScorecard’s senior vice president of threat research, Ryan Sherstobitoff, emphasized the growing threat posed by the Volt Typhoon, warning that without decisive action, the botnet could trigger a crisis in critical infrastructure due to unresolved vulnerabilities.
Volt Typhoon Resurges with Sophisticated Tactics, Targeting Critical Infrastructure and Legacy Systems
In its latest phase, Volt Typhoon has established new command servers through hosting services like Digital Ocean, Quadranet, and Vultr, and registered new SSL certificates to evade detection. It continues to exploit legacy vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers, with one recent attack compromising 30% of the world’s visible Cisco RV320/325s in just one month. This shows the botnet’s ability to operate at a large scale and further underscores the difficulty in detecting and mitigating its activities.
Volt Typhoon’s infrastructure has grown more complex, with compromised routers now operating as digital chameleons. These routers use MIPS-based malware to create covert connections and forward traffic through ports that avoid detection.
Webshells are implanted into these routers to maintain persistent access and allow remote control. This integration of malicious activities into normal network traffic makes detection and cleanup efforts especially challenging, particularly within government and critical infrastructure sectors where the botnet’s presence remains largely undetected.
By September 2024, Volt Typhoon had deployed a new botnet cluster that routes traffic globally, including through a compromised VPN device located in New Caledonia, a French territory in the South Pacific. This strategic placement helps the botnet avoid additional scrutiny while extending its reach.
Sherstobitoff cautioned that the CNI sector remains a prime target for the Volt Typhoon due to its critical role in economic stability and reliance on outdated technologies. Furthermore, the weak defenses of third-party suppliers offer an easy entry point for advanced persistent threat (APT) actors like Volt Typhoon.
