Critical Infrastructure Security
Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime
Cyberespionage Hacking Group Volt Typhoon Targeting US Critical Infrastructure
The U.S. government dismantled the infrastructure of Chinese state-sponsored hacking group Volt Typhoon in a public counteraction after the group targeted U.S. critical infrastructure.
An unnamed source told Reuters that the Department of Justice and the FBI sought and received a court order to remotely disable a Volt Typhoon hacking campaign that was first identified by Microsoft in March 2023.
Law enforcement remotely incapacitated certain elements of the hacking campaign in response to fears the group might be able to “remotely disrupt crucial facilities in the Indo-Pacific region, which, in some capacity, are involved in supporting or servicing U.S. military operations,” Reuters reported.
According to CNN, the court order allowed the Justice Department to update susceptible software on numerous U.S. devices that had been at risk of Chinese hacking.
The Cybersecurity and Infrastructure Security Agency published an advisory in mid-2023 highlighting a cluster of noteworthy activities by Volt Typhoon and noting its tactics and targets had evolved.
Volt Typhoon last month compromised superseded Cisco routers to target government entities in the United States, the United Kingdom and Australia.
Cyberespionage hackers from Beijing used vulnerabilities that had been initially disclosed in early 2019 to build a botnet comprising Cisco small office and home office routers, as reported by SecurityScorecard in January.
The cybersecurity firm said that over a 37 days, it observed Volt Typhoon, also referred to as Bronze Silhouette, successfully compromise nearly one-third of the susceptible Cisco routers.
Reuters reported that the recent activity by the hacking group had alarmed intelligence officials, who said “it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities.”
“The actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the U.S. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down,” John Hultquist, chief analyst at Mandiant Intelligence, Google Cloud, told Information Security Media Group.
In December, Black Lotus Labs spotted Volt Typhoon activity. It said hackers had used Netgear ProSafe firewalls from July 2022 through February 2023 to act as relay nodes for networks compromised by the Chinese state hackers.