The Chinese state-sponsored hacking group known as Volt Typhoon has intensified its campaign targeting critical infrastructure across multiple countries through the exploitation of vulnerable Cisco and NetGear routers.
This advanced persistent threat (APT) actor has been conducting widespread espionage and pre-positioning for potential disruptive attacks, particularly focusing on organizations in the United States and allied nations.
Security researchers have identified Volt Typhoon deploying sophisticated techniques to compromise outdated Cisco RV320/325 and NetGear ProSafe routers, converting them into covert relay nodes for command-and-control operations.
.png
)
These compromised devices serve as essential components in their reconstituted botnet infrastructure.
Cyfirma Security analysts identified that despite a major FBI-led takedown of Volt Typhoon’s “KV Botnet” in December 2023, the group demonstrated remarkable resilience by swiftly rebuilding its network.
Within just 37 days, the hackers managed to compromise approximately 30% of visible Cisco RV320/325 routers globally, establishing a robust foundation for their renewed operations.
The group, also tracked under aliases including BRONZE SILHOUETTE, Dev-0391, and Vanguard Panda, has been targeting critical sectors including energy, water, transportation, and communications.
Their primary motivation appears to be intelligence gathering with a strategic shift toward pre-positioning for potentially disruptive cyberattacks.
Recent intelligence suggests that Volt Typhoon has maintained persistent access to some victim networks for as long as five years, highlighting their sophisticated capabilities and long-term strategic objectives.
Their targeting aligns with China’s geopolitical interests, particularly focused on infrastructure critical to U.S. and allied stability.
Technical Methods and Exploitation Techniques
The threat actor employs “living off the land” techniques, utilizing native system tools like PowerShell, Bash, wmic, and netsh to execute commands while avoiding the deployment of custom malware.
This approach helps them blend their malicious activities with legitimate network traffic, evading traditional detection methods.
For initial access, Volt Typhoon acquires credentials through various means, including phishing campaigns, credential dumping using tools like Mimikatz, and brute-forcing weak passwords on SOHO routers.
Once inside a network, they establish persistence by creating scheduled tasks or cron jobs, and leverage compromised routers as “silent bridges” for their command infrastructure.
The group recently exploited a zero-day vulnerability (CVE-2024-39717) in Versa Networks SD-WAN in June 2024, deploying a custom web shell called VersaMem to intercept credentials and pivot into downstream customer networks.
They’ve also been linked to exploiting other vulnerabilities, including CVE-2022-42475, CVE-2024-21887, and CVE-2023-46805.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
