The Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) disrupted Volt Typhoon, shutting down a malicious botnet run by the notorious China-sponsored cyber group.
Volt Typhoon has targeted US critical infrastructure organizations in several sectors, including the Department of Energy (DOE), the Environmental Protection Agency (EPA), and the Transportation Security Administration.
The United States is not the only one to have weathered attacks from the group either - Australia’s Cyber Security Centre (ACSC), Canada’s Centre for Cyber Security (CCCS), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and New Zealand’s National Cyber Security Centre (NCSC-NZ) have also warned of cyber incidents at the hands of Volt Typhoon.
In May 2023, Microsoft exposed the group’s espionage operations. They found that Volt Typhoon was active in 2021 and had struck organizations in “the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.” Microsoft suggested that the actors hoped to perform reconnaissance and stay undetected for as long as possible.
A cybersecurity advisory released by CISA, NSA, and the FBI explains that now, US agencies believe that the actors are focusing on infiltrating the IT networks of critical infrastructure organizations, which raises concerns about the possibility of larger networks in the United States being disrupted during geopolitical tensions or military conflicts. The “Five Eyes”, a US, Australian, Canadian, British, and New Zealand intelligence alliance, also participated in the advisory.
The joint cybersecurity advisory explains how Volt Typhoon regularly used a series of steps in their campaigns to invade the IT networks of important systems. Starting with a reconnaissance to understand the organization’s cyber protocols, they would then exploit vulnerabilities in the IT network to gain administrator credentials. With valid administrator credentials, Typhoon moves laterally to the domain controller and other devices through remote access. The cyber actors maintained stealth with the use of ‘living off the land’ (LOTL) binaries - tools already native to the victim’s system. They continue until they find even more sensitive information, like the Active Directory database and the means of disrupting the organization's function.
On January 31, 2024, the FBI and the DOJ disrupted Volt Typhoon by wiping out the KV Botnet from hundreds of routers. Volt Typhoon infected hundreds of U.S.-based small office/home office routers with KV Botnet malware. The main routers used, from Cisco and NetGear, were vulnerable because they couldn’t be supported by their manufacturers' security patches or software updates. Even after remediation though, those routers are still vulnerable to exploitation - so the FBI “strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.”
In the press release, FBI Deputy Director, Pail Abbate said that “[The FBI and their partners] remain committed to thwarting malicious activities of this type and will continue to disrupt and dismantle cyber threats, safeguarding the fabric of our cyber infrastructure.” The FBI and the DOJ have worked together before to disrupt another malware tool, Qakbot, so collaboration - a key theme in the 2023 Department of Defense Cyber Strategy - appears to be an important part of their efforts to fight cybercrime. In fact, the Volt Typhoon disruption may not have happened without the international collaboration that gathered information about their actions in Australia, Canada, the UK, and New Zealand and domestic cooperation between federal agencies.
The FBI and DOJ, with international allies, dealt a blow to Volt Typhoon, protecting critical infrastructure. This win underscores the power of proactive defense (learn their tactics, patch your vulnerabilities), global teamwork, and public awareness (outdated routers are easy targets, so be sure to keep yours updated)! While threats evolve, this victory shows united vigilance leads to a safer cyber future.