What is Volt Typhoon?

Feb. 1, 2024

The United States government recently shut down a major China-backed hacking group dubbed "Volt Typhoon" that attacked hundreds of routers and had been working to compromise U.S. cyber infrastructure.

About Volt Typhoon:

  • It is a state-sponsored hacking group based in China that has been active since at least 2021. 
  • The group typically focuses on espionage and information gathering
  • It has targeted critical infrastructure organisations in the US, including Guam. 
  • To achieve their objective, the threat actor puts a strong emphasis on stealth, relying almost exclusively on living-off-the-land techniquesand hands-on-keyboard activity
  • The recurring attack pattern of the Volt Typhoon begins with initial access via exploitation of public-facing devices or services.
  • Volt Typhoon employs the comparatively uncommon practice of leveraging preinstalled utilities for most of their victim interactions.
  • Compromised small office/home office (SOHO) devices are used by the attackers to proxy communications to and from the affected networks.
  • They issue commands via the command line to (1) collect data, including credentials from local and network systems: (2) put the data into an archive file to stage it for exfiltration: and then (3) use the stolen valid credentials to maintain persistence
  • Volt Typhoon was a particularly quiet operator that hid its traffic by routing it through hacked network equipment, like home routers, and carefully expunging evidence of intrusions from the victim’s logs.
  • This combination of behaviours makes detection especially difficult, as defenders must be able to differentiate between attacker activities and those of power users or administrative staff.