The botnet created by the Chinese threat group Volt Typhoon re-emerged recently, with the hackers leveraging the same core infrastructure and techniques, according to cybersecurity ratings company SecurityScorecard.
The existence of Volt Typhoon came to light in May 2023, after Microsoft saw the threat actor, which it linked to the Chinese government, stealing data from critical infrastructure organizations in the US territory of Guam.
In December 2023, Lumen Technologies’ Black Lotus Labs reported that Volt Typhoon had been using a botnet mostly powered by outdated Cisco, Netgear and Fortinet devices for covert communications and data transfers.
A few weeks later, the US government announced that it had managed to neutralize the Volt Typhoon botnet. The FBI leveraged the botnet’s own C&C mechanism to remotely delete the malware from the routers, and took steps to sever the devices’ connection to the botnet.
The disruption of its botnet did not lead to the disappearance of Volt Typhoon from the threat landscape, and CISA warned that the group had been pre-positioning itself in critical infrastructure networks for disruption or destruction purposes.
In August, Volt Typhoon was caught exploiting a zero-day vulnerability in Versa Director servers used by ISPs and MSPs. The apparent goal was to hijack credentials to break into downstream customers’ networks.
SecurityScorecard noticed the Volt Typhoon botnet’s resurgence in September. Specifically, it saw a cluster named JDYFJ being used to covertly route traffic worldwide.
Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard, told SecurityWeek that the resurrected botnet is powered by compromised Netgear ProSafe, Cisco RV320/325 and Mikrotik networking devices.
The security firm found that the core infrastructure and techniques used in the previous Volt Typhoon campaigns are being used in the new iteration of the botnet as well.
SecurityScorecard’s analysis found a compromised VPN device located on the small Pacific island of New Caledonia. This system was previously taken down, but researchers saw it again being used to route traffic between the Asia-Pacific and America regions.
“This covert hub enables Volt Typhoon to avoid scrutiny and extends the botnet’s reach,” SecurityScorecard explained.
Related: US Gov Agency Urges Employees to Limit Phone Use After China ‘Salt Typhoon’ Hack
Related: Five Eyes Agencies Issue New Alert on Chinese APT Volt Typhoon