Resurgence of China’s Volt Typhoon Botnet: A Persistent Cybersecurity Threat

November 13, 2024

Researchers at SecurityScorecard have identified the resurgence of the Volt Typhoon botnet, a cyber threat linked to China. In May 2023, Microsoft disclosed that this Advanced Persistent Threat (APT) had infiltrated critical infrastructure organizations in the U.S. and Guam, remaining undetected for an extended period. The group's primary aim was to disrupt critical communication infrastructure between the U.S. and Asia in the event of future crises.

The Volt Typhoon group has been active since mid-2021, launching cyber operations against vital infrastructure. The group's recent campaign targeted several sectors, including communications, manufacturing, utility, transportation, construction, maritime, government, IT, and education. The APT group primarily uses living-off-the-land techniques and direct keyboard activity to evade detection. Microsoft observed that the group routes its malicious traffic through compromised small office and home office (SOHO) network devices, such as routers, firewalls, and VPN hardware, to hide its activities.

In December 2023, Lumen Technologies' Black Lotus Labs linked a SOHO router botnet, dubbed KV-Botnet, to Volt Typhoon's operations. This botnet, active since February 2022, targets devices at network edges and comprises end-of-life products used by SOHO devices. The researchers noticed several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs as part of the botnet in early July and August 2022. By November 2022, most botnet devices were ProSAFE devices, with a smaller number of DrayTek routers.

In November 2023, the botnet began targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E. Despite U.S. government efforts to neutralize the Volt Typhoon botnet by taking over its Command and Control (C2) and deleting the bot from infected devices, the group remains active. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) warned in February that the group had been positioning itself within critical infrastructure networks, likely for potential disruption or sabotage.

In August 2023, Volt Typhoon exploited a zero-day vulnerability, tracked as CVE-2024-39717, in Versa Director to deploy a custom webshell on breached networks. This sophisticated web shell, named VersaMem, is designed to target Versa Director systems. Developed through Apache Maven, it attaches itself to the Apache Tomcat process upon execution. Using the Java Instrumentation API and Javassist toolkit, it modifies Java code in memory to avoid detection. It supports capturing plaintext user credentials and dynamically loading Java classes in memory.

Now, SecurityScorecard has raised alarms that the botnet is back. It comprises compromised Netgear ProSafe, Cisco RV320/325, and Mikrotik networking devices. A compromised VPN device in New Caledonia, previously taken down, was observed routing traffic between Asia-Pacific and America again. Volt Typhoon does not use ransomware, but its ecosystem benefits from Ransomware-as-a-Service (RaaS), where ransom payments fund advanced tools, escalating attack risks, especially through third-party and cloud dependencies.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.