Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

China’s Volt Typhoon Rebuilding Botnet

Security researchers say the botnet created by China’s Volt Typhoon re-emerged recently, leveraging the same core infrastructure and techniques. 

Volt Typhoon botnet

The botnet created by the Chinese threat group Volt Typhoon re-emerged recently, with the hackers leveraging the same core infrastructure and techniques, according to cybersecurity ratings company SecurityScorecard.

The existence of Volt Typhoon came to light in May 2023, after Microsoft saw the threat actor, which it linked to the Chinese government, stealing data from critical infrastructure organizations in the US territory of Guam. 

In December 2023, Lumen Technologies’ Black Lotus Labs reported that Volt Typhoon had been using a botnet mostly powered by outdated Cisco, Netgear and Fortinet devices for covert communications and data transfers.

A few weeks later, the US government announced that it had managed to neutralize the Volt Typhoon botnet. The FBI leveraged the botnet’s own C&C mechanism to remotely delete the malware from the routers, and took steps to sever the devices’ connection to the botnet.

The disruption of its botnet did not lead to the disappearance of Volt Typhoon from the threat landscape, and CISA warned that the group had been pre-positioning itself in critical infrastructure networks for disruption or destruction purposes.

In August, Volt Typhoon was caught exploiting a zero-day vulnerability in Versa Director servers used by ISPs and MSPs. The apparent goal was to hijack credentials to break into downstream customers’ networks.

SecurityScorecard noticed the Volt Typhoon botnet’s resurgence in September. Specifically, it saw a cluster named JDYFJ being used to covertly route traffic worldwide.

Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard, told SecurityWeek that the resurrected botnet is powered by compromised Netgear ProSafe, Cisco RV320/325 and Mikrotik networking devices.

Advertisement. Scroll to continue reading.

The security firm found that the core infrastructure and techniques used in the previous Volt Typhoon campaigns are being used in the new iteration of the botnet as well.

SecurityScorecard’s analysis found a compromised VPN device located on the small Pacific island of New Caledonia. This system was previously taken down, but researchers saw it again being used to route traffic between the Asia-Pacific and America regions. 

“This covert hub enables Volt Typhoon to avoid scrutiny and extends the botnet’s reach,” SecurityScorecard explained. 

Related: US Gov Agency Urges Employees to Limit Phone Use After China ‘Salt Typhoon’ Hack

Related: Five Eyes Agencies Issue New Alert on Chinese APT Volt Typhoon

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.