China's Volt Typhoon crew and its botnet surge back with a vengeance

China's Volt Typhoon crew and its botnet are back, compromising old Cisco routers once again to break into critical infrastructure networks and kick off cyberattacks, according to security researchers.

The alert comes nearly ten months after the Feds claimed a victory against the Chinese government-linked miscreants, when the FBI infiltrated the operation and then remotely wiped the botnet.

At the time, the US Justice Department warned that Volt Typhoon had infected "hundreds" of outdated Cisco and Netgear boxes with malware so that the devices could be used to break into US energy, water, and other vital facilities. Plus, the crew had been targeting American critical organizations as far back as 2021.

Just last week, news reports emerged that the same cyber espionage crew had breached Singapore Telecommunications over the summer as a "test run by China for further hacks against US telecommunications companies."

"Once thought dismantled, Volt Typhoon has returned, more sophisticated and determined than ever," declared Ryan Sherstobitoff, SVP of threat research and intelligence at SecurityScorecard. 

In a Tuesday report, Sherstobitoff revealed that the security shop's Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team had spotted Volt Typhoon exploiting outdated Cisco RV320/325 routers and Netgear ProSafe routers. 

"These end-of-life devices become perfect entry points, and in just 37 days, Volt Typhoon compromised 30 percent of visible Cisco RV320/325 routers," Sherstobitoff wrote.

When asked about specific vulnerabilities being abused, Sherstobitoff told The Register: "There are no clear CVEs that Volt is exploiting in current Cisco devices."

But, he added, because the routers are end-of-life, the vendor no longer issues security updates. "This leads to increased exploitation of existing ones," Sherstobitoff warned.

Since the disruption and subsequent rebuilding of the botnet, the threat hunters have seen "a few dozen" compromised devices, he told us. However, he noted, "we have observed changes in command and control servers being deployed into other network providers."

The FBI declined to comment on Volt Typhoon's reported resurgence, and the US government's Cybersecurity and Infrastructure Agency did not immediately response toThe Register's inquiries.

Volt Typhoon's attack timeline

The Chinese crew's botnet first came to light in 2023, after Microsoft and intelligence agencies from the Five Eyes nations disclosed that Volt Typhoon had accessed networks belonging to US critical infrastructure organizations.

The spy gang, we're told, had built a botnet from Cisco and Netgear routers identified by a self-signed SSL certificate named JDYFJ. This botnet, according to SecurityScorecard, used command-and-control (C2) infrastructure in the Netherlands, Latvia, and Germany to disguise its malicious traffic.

By October 2023, Volt Typhoon had taken up occupancy, rent-free, on a compromised VPN device in New Caledonia. This created "a covert bridge between Asia-Pacific and the Americas" that kept "their network alive, hidden from standard detection," Sherstobitoff wrote. 

• China's Volt Typhoon reportedly breached Singtel in 'test-run' for US telecom attacks
• FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet
• US shorts China's Volt Typhoon crew targeting America's criticals
• Congress told how Chinese goons plan to incite 'societal chaos' in the US

In January 2024, the FBI-led effort disrupted some of Volt Typhoon's infrastructure. However, in the Tuesday report, Sherstobitoff explains the Chinese spies rapidly set up new C2 servers on Digital Ocean, Quadranet, and Vultr and also registered fresh SSL certificates to avoid the prying eyes of law enforcement.

As of September, "the botnet persists," he wrote. It uses the JDYFJ cluster to route traffic globally. "Connections from New Caledonia and router nodes remain active for over a month, reinforcing Volt Typhoon's infrastructure."

Chinese government-linked attacks on the rise

This report comes as government officials and private security firms alike have noted an uptick in Chinese cyber spy activity on US and global networks.

Last week, Bloomberg said Volt Typhoon had broken into Singtel's networks before being spotted in June, and had used a web shell in that security breach.

In August, Lumen Technologies' Black Lotus Labs warned that Volt Typhoon had abused a Versa SD-WAN vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers' networks.

Then, in September, another Chinese-government-backed group dubbed Salt Typhoon was accused of breaking into US telecom providers' infrastructure. These intrusions came to light in October, with the spies reportedly breaching Verizon, AT&T, and Lumen Technologies.

Also in September, the FBI revealed that international cops disrupted a 260,000-device botnet controlled by a different Beijing-linked goon squad: Flax Typhoon.

This group had been building the Mirai-based botnet since 2021 and targeted US critical infrastructure, government, and academics. ®