Connect with us

Hi, what are you looking for?


Malware & Threats

US Says China’s Volt Typhoon Hackers ‘Pre-Positioning’ for Cyberattacks Against Critical Infrastructure

New CISA alert includes technical mitigations to harden attack surfaces and instructions to hunt for the Chinese government-backed hackers.

Chinese cyber threats

The US government’s cybersecurity agency CISA is ramping up the pressure on defenders to find and remove malware artifacts planted by Volt Typhoon, a Chinese state-backed hacking group that has burrowed deep into thousands of organizations around the world.

“[We] have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam,” CISA said in an advisory, warning that the hacking team’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations.

The CISA advisory includes detailed technical mitigations to harden attack surfaces and the agency recommends that defenders start hunting for similar malicious activity linked to the Chinese hackers.

The alert takes on added significance because the US government believes the Chinese hackers are “pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” also noting that U.S. agencies have recently observed “indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.”

“[We] are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts,” it added.

The latest urgency comes on the heels of a move by the US Justice Department to disrupt and disable a botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Volt Typhoon as a covert communications channel.

“This report provides insight into what the actor is doing inside those critical infrastructure networks,” John Hultquist, Chief Analyst, Mandiant Intelligence – Google Cloud, told SecurityWeek. “Specifically, Volt Typhoon is gathering information on, and even penetrating, operational technology systems – the highly sensitive systems that run the physical processes at the heart of critical infrastructure. Under the right conditions, OT systems could be manipulated to cause major shutdowns of essential services, or even to create dangerous conditions.”

Last December, researchers warned that the router botnet was packed with outdated Cisco, Netgear and Fortinet devices acting as a Tor-like covert data transfer network to perform malicious operations.

Advertisement. Scroll to continue reading.

Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet 

Related: Mandiant Raises Alarm for ‘Volt Typhoon’ Hacking Group

Related: Microsoft Catches Chinese .Gov Hackers in US Critical Infrastructure

Related: Fortinet Warns of Possible Zero-Day Exploited in Limited Attacks 

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.