The US government’s cybersecurity agency CISA is ramping up the pressure on defenders to find and remove malware artifacts planted by Volt Typhoon, a Chinese state-backed hacking group that has burrowed deep into thousands of organizations around the world.
“[We] have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations in the continental and non-continental United States and its territories, including Guam,” CISA said in an advisory, warning that the hacking team’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations.
The CISA advisory includes detailed technical mitigations to harden attack surfaces and the agency recommends that defenders start hunting for similar malicious activity linked to the Chinese hackers.
The alert takes on added significance because the US government believes the Chinese hackers are “pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” also noting that U.S. agencies have recently observed “indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.”
“[We] are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts,” it added.
The latest urgency comes on the heels of a move by the US Justice Department to disrupt and disable a botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Volt Typhoon as a covert communications channel.
“This report provides insight into what the actor is doing inside those critical infrastructure networks,” John Hultquist, Chief Analyst, Mandiant Intelligence – Google Cloud, told SecurityWeek. “Specifically, Volt Typhoon is gathering information on, and even penetrating, operational technology systems – the highly sensitive systems that run the physical processes at the heart of critical infrastructure. Under the right conditions, OT systems could be manipulated to cause major shutdowns of essential services, or even to create dangerous conditions.”
Last December, researchers warned that the router botnet was packed with outdated Cisco, Netgear and Fortinet devices acting as a Tor-like covert data transfer network to perform malicious operations.