Recent Developments in the Activities of Hacking Group Volt Typhoon

In the past 48 hours, there have been significant developments in the activities of the hacking group known as Volt Typhoon. This China-linked threat group, which has been active since at least 2021, has been a cause of concern for the United States and its allies due to its focus on targeting critical infrastructure and government organizations. This report aims to provide an overview of the recent events surrounding Volt Typhoon and its impact on cybersecurity.

1. Background

Volt Typhoon is a state-sponsored hacking group believed to be based in China. The group has been active since at least 2021 and is known for its focus on espionage and information gathering. Their primary targets include government entities, military-industrial complexes, and critical infrastructure organizations.

2. Recent Activities

In the past 48 hours, there have been several notable developments related to Volt Typhoon:

a. IOC Detection

According to recent IOC detection, Volt Typhoon has been associated with multiple hash values, including "4ba6b043313c8d163f2ab7c4505c8b9b8cd68061" and "670545a24a2ce2ac7a0e863790bfe2e1." These hashes have a confidence level of 90% and were last seen on January 29, 2024.

b. Targeting Critical Infrastructure

Volt Typhoon continues to target critical infrastructure organizations, including those in the United States and Guam. Their emphasis on stealth operations using web shells, stolen credentials, and living-off-the-land techniques remains consistent with their previous activities.

c. KV-Botnet

Recent reports indicate that Volt Typhoon has been utilizing the KV-Botnet, a network of compromised SOHO routers, to obfuscate their origins and anonymize their activities. The botnet, which includes devices from Cisco, DrayTek, Fortinet, and NETGEAR, serves as a covert data transfer network for the group.

3. Law Enforcement Actions

In response to the threat posed by Volt Typhoon, law enforcement agencies have taken significant steps to disrupt their operations:

a. Neutralizing the KV-Botnet

The U.S. government, in collaboration with international partners, has successfully neutralized the KV-Botnet. This botnet, which was hijacked by Volt Typhoon, comprised hundreds of U.S.-based small office and home office (SOHO) routers. The operation involved remotely issuing commands to delete the KV-botnet payload and severing the routers' connection to the botnet.

b. Temporary Mitigation Measures

While the operation has temporarily disrupted the botnet, it is important to note that the mitigation measures employed are temporary and cannot survive a reboot. Restarting the routers without implementing similar mitigation steps would render them susceptible to re-infection.

4. Recommendations

Based on the recent developments, the following recommendations are provided for SOC analysts:

a. Stay Vigilant

Continue monitoring network traffic for any indicators of compromise associated with Volt Typhoon, such as the identified hash values. Regularly update threat intelligence feeds to stay informed about the group's TTPs.

b. Patch and Replace Vulnerable Routers

Advise router owners to patch and replace any end-of-life SOHO routers currently in their networks. These routers remain vulnerable to future exploitation by Volt Typhoon and other threat actors.

c. Report Incidents

Encourage individuals who believe they have compromised routers or have witnessed suspicious activities related to Volt Typhoon to report incidents to the FBI's Internet Crime Complaint Center (IC3) or the national cybersecurity body, CISA.

Conclusion

Volt Typhoon remains an active and persistent threat, with recent developments highlighting their continued focus on critical infrastructure and their utilization of the KV-Botnet. The successful neutralization of the botnet by law enforcement agencies demonstrates the ongoing efforts to disrupt the group's operations. SOC analysts should remain vigilant and take necessary precautions to protect their networks from Volt Typhoon's activities.

Cybersixgill users can find the complete tables of Indicators of Compromise (IOCs) detected for Volt Typhoon at the following link:
https://portal.cybersixgill.com/#/entityNavigator?entityName=volttyphoon&entitySearchType=allEntities&entityType=apt