CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

China’s Volt Typhoon Rebuilding Botnet

Security researchers say the botnet created by China’s Volt Typhoon re-emerged recently, leveraging the same core infrastructure and techniques. 

Volt Typhoon botnet

The botnet created by the Chinese threat group Volt Typhoon re-emerged recently, with the hackers leveraging the same core infrastructure and techniques, according to cybersecurity ratings company SecurityScorecard.

The existence of Volt Typhoon came to light in May 2023, after Microsoft saw the threat actor, which it linked to the Chinese government, stealing data from critical infrastructure organizations in the US territory of Guam. 

In December 2023, Lumen Technologies’ Black Lotus Labs reported that Volt Typhoon had been using a botnet mostly powered by outdated Cisco, Netgear and Fortinet devices for covert communications and data transfers.

A few weeks later, the US government announced that it had managed to neutralize the Volt Typhoon botnet. The FBI leveraged the botnet’s own C&C mechanism to remotely delete the malware from the routers, and took steps to sever the devices’ connection to the botnet.

The disruption of its botnet did not lead to the disappearance of Volt Typhoon from the threat landscape, and CISA warned that the group had been pre-positioning itself in critical infrastructure networks for disruption or destruction purposes.

In August, Volt Typhoon was caught exploiting a zero-day vulnerability in Versa Director servers used by ISPs and MSPs. The apparent goal was to hijack credentials to break into downstream customers’ networks.

SecurityScorecard noticed the Volt Typhoon botnet’s resurgence in September. Specifically, it saw a cluster named JDYFJ being used to covertly route traffic worldwide.

Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard, told SecurityWeek that the resurrected botnet is powered by compromised Netgear ProSafe, Cisco RV320/325 and Mikrotik networking devices.

Advertisement. Scroll to continue reading.

The security firm found that the core infrastructure and techniques used in the previous Volt Typhoon campaigns are being used in the new iteration of the botnet as well.

SecurityScorecard’s analysis found a compromised VPN device located on the small Pacific island of New Caledonia. This system was previously taken down, but researchers saw it again being used to route traffic between the Asia-Pacific and America regions. 

“This covert hub enables Volt Typhoon to avoid scrutiny and extends the botnet’s reach,” SecurityScorecard explained. 

Related: US Gov Agency Urges Employees to Limit Phone Use After China ‘Salt Typhoon’ Hack

Related: Five Eyes Agencies Issue New Alert on Chinese APT Volt Typhoon

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.