Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China-Linked Volt Typhoon Hackers Possibly Targeting Australian, UK Governments

Chinese APT Volt Typhoon appears engaged in new attacks against government entities in the US, UK, and Australia.

Chinese cyber threats

Chinese state-sponsored hackers are targeting old vulnerabilities in Cisco routers in new attacks apparently aimed at government entities in the US, UK, and Australia, cybersecurity firm SecurityScorecard reports.

As part of the observed attacks, the adversaries exploited CVE-2019-1653 and CVE-2019-1652, two critical-severity bugs in discontinued Cisco small business RV320/325 VPN routers, which have been targeted by Chinese hackers before and are also featured in CISA’s KEV catalog.

According to SecurityScorecard, the China-linked advanced persistent threat (APT) actor Volt Typhoon likely compromised one-third of the vulnerable devices observed by the company.

Specifically, over a 37-day period, 325 out of 1,116 devices were seen connecting to two IP addresses used as proxy routers for command-and-control (C&C) communication, suggesting that they might be part of the same Volt Typhoon-linked botnet of compromised devices.

In fact, Volt Typhoon is known to target small office and home office (SOHO) routers from Cisco and DrayTek and other edge devices, including Netgear firewalls and Axis IP cameras, and use them to covertly transfer data.

Using the indicators of compromise (IoCs) provided in a recent Black Lotus Labs report on Volt Typhoon, SecurityScorecard was able to track a shift in infrastructure usage between late-November 2023 and early January 2024, and to discover a new shell file that infected devices would fetch and execute.

In an extensive technical writeup, the cybersecurity firm says it was able to identify two other IP addresses associated with previously detailed Volt Typhoon-linked C&C infrastructure, by monitoring the traffic from the IP where an APT-compromised Cisco RV325 router is known to be located.

Given that this compromised device is in New Caledonia, the cybersecurity firm believes that it serves as a transit point for Volt Typhoon-related traffic. SecurityScorecard also speculates that the compromise might position the APT in a suitable position to target global communications.

Advertisement. Scroll to continue reading.

“The available analysis of Volt Typhoon has highlighted its targeting of communications between APAC and the Americas – its intrusions into the networks of telecommunications providers and other critical infrastructure in Guam attracted particular attention in previous reporting–so its exploitation of telecommunications infrastructure on another Pacific island may be in keeping with this previous behavior,” the cybersecurity firm says.

Further analysis of the traffic between known Volt Typhoon infrastructure and likely compromised devices led SecurityScorecard to the conclusion that the APT may operate a much more extensive botnet than previously believed.

Further inspection of the traffic showed connections to the group’s infrastructure from 27 IP addresses hosting 69 US, UK, Australian, and Indian government sites, suggesting expanded targeting from Volt Typhoon.

“While public reporting on Volt Typhoon has not previously noted its targeting of Australian or UK government assets in addition to US ones, such activity would be in keeping with PRC nation-state cyber activity more generally, as these countries’ roles in the Western alliance system (including their Five Eyes and AUKUS membership) have contributed to their frequent targeting by China-linked APT group,” SecurityScorecard says.

Related: Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure

Related: 22 Energy Firms Hacked in Largest Coordinated Attack on Denmark’s Critical Infrastructure

Related: Chinese APT Was Prepared for Remediation Efforts in Barracuda ESG Zero-Day Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet