China’s Volt Typhoon rebuilds botnet in wake of takedown

The Chinese state threat actor most famously known as Volt Typhoon is staging a significant comeback after its botnet infrastructure was disrupted in a US-led takedown at the beginning of February 2024.

Volt Typhoon’s malicious botnet comprised hundreds of Cisco and Netgear small and home office (SOHO) routers that had reached end-of-life (EOL) status and thus were no longer receiving security updates.

The threat actor infected these devices with KV Botnet malware and used them to obfuscate the origins of follow-on hacks targeting critical national infrastructure (CNI) operations in the US and elsewhere.

Now, nine months on, threat analysts from SecurityScorecard say that they have observed signs that Volt Typhoon is not only back in business, but is “more sophisticated and determined than ever”.

SecurityScorecard’s Strike team has been poring over millions of data points collected from the organisation’s wider risk management infrastructure, and has determined that it is now adapting and digging in after licking its wounds in the wake of the takedown.

“The Strike Team’s discoveries highlight the expanding threat posed by Volt Typhoon. As the botnet spreads and its tactics deepen, governments and corporations must urgently address weaknesses in legacy systems, public cloud infrastructures, and third-party networks,” said SecurityScorecard senior vice-president of threat research and intelligence, Ryan Sherstobitoff.

“Volt Typhoon is both a resilient botnet and a warning. Without decisive action, this silent threat could trigger a critical infrastructure crisis driven by vulnerabilities left unresolved.”

In recent months Volt Typhoon has stood up new command servers using hosting services such as Digital Ocean, Quadranet and Vultr, and registered fresh SSL certificates to evade the authorities.

The group has continued to exploit legacy vulnerabilities in Cisco RV320/325 and Netgear ProSafe routers. Sherstobitoff revealed that the operation was able to compromise 30% of the world’s visible Cisco RV320/325s in the space of just one month.

“The Strike Team’s deep investigation has exposed Volt Typhoon’s complex network built on compromised SOHO and EOL devices. This group has weaponised outdated routers on a global scale, weaving layers of obfuscation that mask their presence and make detection exceptionally difficult,” said Sherstobitoff.

“These compromised routers act as digital chameleons, facilitating the covert movement of data while mimicking normal network traffic. Analysts have identified MIPS-based malware on these devices, similar to Mirai, engineered to establish covert connections and communicate via port forwarding over 8443. This method keeps Volt Typhoon’s command operations off the radar, even for seasoned cyber security teams.

“Webshells, such as fy.sh, are strategically implanted in routers, allowing Volt Typhoon to maintain persistent access and secure remote control. The attack doesn’t just hide – it integrates seamlessly into routine network operations. The result? A resilient foothold, particularly within governmental and critical infrastructure sectors, that camouflages malicious activities and complicates any clean-up efforts,” he said.

As of September 2024, its new botnet cluster was observed routing traffic worldwide, much of it transiting through a compromised virtual private network (VPN) device which is acting as a silent bridge between Asia-Pacific and the US.

This device is determined to be located somewhere in New Caledonia, a French island in the South Pacific Ocean, about 750 miles northwest of Queensland, Australia. By placing its hub in a location considered to be part of France – though New Caledonia’s legal status as a sui generis overseas territory is both complex and controversial – Volt Typhoon may be able to avoid additional scrutiny and extend the reach of its botnet even further.

Sherstobitoff warned that CNI operators still presented an attractive target for Chinese state-sponsored attackers thanks to their essential role in economic stability, while the sector’s lingering dependence on legacy technology is creating a “perfect storm” for disruption.

He added that many third-party tech suppliers themselves lack robust defences, offering advanced persistent threat (APT) actors such as Volt Typhoon easy entry points.