Volt Typhoon takes the stage: what we know about “defining threat of our generation”

Some Americans may have been unaware that their Wi-Fi router is a battlefield between Chinese hackers and the FBI and other agencies. After the latest intrusions, security researchers from Unit 42, a security arm of Palo Alto Networks, categorized Volt Typhoon as a top-tier cybergang. What do we know about it?

Last year, Volt Typhoon, also known as Insidious Taurus, Bronze Silhouette, Vanguard Panda, or Dev-0391, was identified by the US government agencies and international partners as a People’s Republic of China (PRC) state-sponsored threat actor.

In the updated threat assessment, Unit 42 researchers now assess this gang “as a top tier, sophisticated APT” and concurred with attributions to China.

“The defining threat of our generation,” FBI director Christopher Wray described Volt Typhoon during a public hearing on January 31st to the US House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party.

These statements came after a sophisticated cyber operation during which the FBI cyber squad wiped out Chinese malware from American Wi-Fi routers. The court-authorized operation has disrupted a botnet of hundreds of US-based devices infected with the KV-botnet malware.

Volt Typhoon and other Chinese hackers compromise and lurk in water treatment plants, electrical grids, oil and natural gas pipelines, transportation systems, and other critical infrastructure.

China responded to these allegations with some of their own.

Wang Wenbin, a spokesperson for the Chinese Ministry of Foreign Affairs, said that China firmly opposes the baseless attacks and smears against China by the US and other Five Eyes alliance countries (a reference to the intelligence alliance between the US, Canada, New Zealand, Australia, and the UK).

According to Global Times, a Chinese state-owned outlet, Wang called the US the number one “source of cyber risk and challenges,” and if it truly wants to safeguard cybersecurity, they are welcome to join China’s Global Initiative on Data Security.

This response resembles last year’s reaction when China dismissed alerts about Volt Typhoon, identified in May, as a “collective disinformation campaign.”

Lurking in routers for years

One of the most bizarre traits of this cybergang is that they generate as little malicious activity as possible to evade detection or blocking by protection software. The activity of Volt Typhoon is challenging to detect, researchers assessed. That makes Volt Typhoon's behavior inconsistent compared to other cybergangs that are usually financially motivated.

“Getting caught at all, let alone quickly, precludes operational success,” Unit 42 writes.

“US authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” previously the FBI, CISA, and NSA said in their statement.

According to the American cyber defense agency CISA, Volt Typhoon conducts extensive pre-compromise reconnaissance to learn about the target organization’s network architecture and operational protocols. This includes identifying network topologies, security measures, typical user behaviors, and key network and IT staff. Volt Typhoon then uses gathered information to enhance its operational security.

“For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” CISA said.

volt typhoon operation

How does Volt Typhoon hide?

Multiple steps are taken to remain hidden. Threat actors use internet-facing end-of-life equipment, such as small office/home office (SOHO) routers or virtual private networks. The threat actor includes them as part of a larger botnet or uses them as an initial access vector.

SOHO routers, owned by households or small businesses, are rarely configured according to best security practices and lack significant security protections. Fighting back is tricky, as older hardware no longer receives firmware updates and is vulnerable.

Even the routers remediated by the FBI remain vulnerable to future exploitation by Volt Typhoon and other hackers. In a press release, the FBI strongly encouraged router owners “to remove and replace any end-of-life SOHO router currently in their networks.”

While SOHO network devices serve the cyber gang as intermediate infrastructure to obscure their activity, Volt Typhoon also possesses a wide set of techniques, as revealed in two previous joint cybersecurity advisories.

Volt Typhoon abuses legitimate software and network administration tools as a means of hiding their traffic, using a technique known as “living off the land.”

Other techniques include performing extensive pre-compromise reconnaissance and exploitation of known zero-day vulnerabilities in public-facing network appliances. Usually, the gang focuses on gaining initial access and obtaining administrator credentials in compromised environments.

“Insidious Taurus (Volt Typhoon) remains an ongoing threat, and cyberattacks targeting critical infrastructure warrant special attention,” Unit 42 warns. “They are believed to have the capability to identify and develop their own zero-day exploits while also taking advantage of or publicly disclosing vulnerabilities and exploits.”

Microsoft in 2021 warned that Volt Typhoon pursues development of capabilities that could disrupt critical communications infrastructure “during future crises.”

What can be done?

Unit 42’s recommendations to prepare against a possible Volt Typhoon attack include the following:

  • Hardening the attack surface
  • Securing credentials and accounts
  • Securing and limiting the use of remote access services
  • Implementing network segmentation
  • Securing cloud assets
  • Being prepared through logging, threat modeling, and training.

“We agree with the CSA’s recommendations to focus on a few key areas. This includes mitigation activities such as updating any internet-facing device like SOHO equipment or virtual private networks (VPNs), as threat actors use these devices as part of a botnet or as an initial access vector. These recommendations also include strengthening the use of multi-factor authentication. Finally, it includes prioritizing sufficient logging, which can be especially important for detecting activity within an environment that could be indicative of living off the land techniques. Additional detailed guidance on actions to take can be found in the latest Joint CSA,” Unit 42 assessed.