Volt Typhoon Revisit: China-Based Hacking Group Threatens Critical Infrastructure

The digital age has ushered in unprecedented opportunities for innovation and connectivity, but it has also given rise to a new breed of threats, particularly in cybersecurity.

One such threat is posed by the China-based hacking group known as Volt Typhoon, which has been actively targeting network systems and credential access in Guam and other US territories.

Their activities have recently come to light, prompting concerns over espionage, data theft, and potential disruptions to critical infrastructure.

In this article, we’ll revisit the details of Volt Typhoon’s operations, the industries they target, and the measures taken by multinational cybersecurity agencies to counter this menace.

Volt Typhoon’s Espionage and Information-Gathering Activities

Volt Typhoon is a highly sophisticated hacking group with a specific focus on espionage and gathering sensitive information.

Microsoft, in its report, highlighted that the group is particularly adept at maintaining unauthorized access to targeted networks “without being detected for as long as possible.”

This level of stealth is a cause for significant concern, as it indicates their ability to operate undetected within compromised networks for extended periods.

From @WSJopinion: Western intelligence agencies and Microsoft Corp. disclosed that an outfit known as Volt Typhoon is spying on anything that might be vulnerable in a conflict. The news underscores how vulnerable the U.S. is to cyber attacks. https://t.co/4luODXz7AL

— The Wall Street Journal (@WSJ) May 27, 2023

Targeted Industries

The scope of Volt Typhoon’s activities is extensive, with victims spanning across a range of sectors critical to the functioning of any nation.

These sectors include government, maritime, communications, manufacturing, transportation, information, and education.

The breadth of their targets suggests a broad-based interest in acquiring valuable information and maintaining persistent access to sensitive systems.

Stealthy Tactics: A Cybersecurity Challenge

What sets Volt Typhoon apart is their reliance on existing tools and hands-on keyboard approaches of their victims, a strategy that allows them to operate stealthily.

According to Microsoft, rather than introducing conspicuous third-party applications or malware, the group leverages the very tools that should be securing these systems.

The group’s typical modus operandi involves deploying malware through computer commands to collect sensitive information, including credentials from both local and network systems.

Once this data is harvested, it is stored in archives for exfiltration.

One of the most unsettling aspects of Volt Typhoon’s operations is their use of stolen credentials for launching additional cyberattacks—a method that allows them to maintain a low profile and avoid detection by security systems designed to flag the introduction of new, unfamiliar software.

In addition to this, Volt Typhoon’s operations are further obfuscated by routing internet traffic through compromised small office and home office (SOHO) hardware.

Firewalls, routers, and virtual private network (VPN) equipment are some of the devices utilized in this strategy, thus making it exceedingly difficult to discern their malicious activities from legitimate network traffic.

The group also takes advantage of open-source programs, which they modify to establish command and control channels. This extended covertness ensures they remain concealed and operational over longer periods, making detection a formidable challenge.

Potential for Disruption

The sophistication of Volt Typhoon’s operations and their targeting of critical infrastructure sectors have raised concerns about the potential for disruption in times of conflict.

Microsoft has expressed “moderate confidence” that the group’s campaigns could disrupt vital communication capabilities between the US and Asian regions if tensions were to escalate, underscoring the importance of understanding the group’s tactics and countering their activities to safeguard critical infrastructure and national security.

Multinational Response

In response to the growing threat posed by Volt Typhoon, a joint advisory was published by multinational cybersecurity agencies.

This advisory aims to protect the digital landscapes of respective countries by characterizing the malicious group and sharing documented instances of their activities.

The document also offers options for countering the hackers.

The multinational response is a testament to the global nature of the cybersecurity challenge. The interconnectedness of digital systems means that threats in one part of the world can quickly cascade and affect others.

Collaborative efforts are essential to tackle these threats effectively.

Vigilance and Preparedness

In light of the emergence of Volt Typhoon and similar cyber threats, organizations and nations need to remain vigilant and prepared.

Here are some crucial steps that can be taken to enhance cybersecurity:

Continuous Monitoring. Regular monitoring of network activity is essential. Anomalies or suspicious behavior should be promptly investigated.

Credential Management. Robust credential management practices, including regular password changes and multi-factor authentication, can help mitigate the risk posed by stolen credentials.

Network Segmentation. Segregating critical systems from less critical ones can limit the potential damage from a breach.

Threat Intelligence Sharing. Organizations should actively participate in threat intelligence sharing networks to stay updated on emerging threats and vulnerabilities.

Employee Training. Employees play a critical role in cybersecurity. Comprehensive training and awareness programs can help them recognize and report suspicious activities.

Patch and Update Management. Keeping software, operating systems, and hardware up to date with security patches is crucial to mitigate known vulnerabilities.

Collaboration. Governments, private sector entities, and international cybersecurity agencies must collaborate to pool resources and expertise in combating cyber threats effectively.

Incident Response Plans. Organizations should have well-defined incident response plans in place to swiftly address any cybersecurity incidents.

~

Volt Typhoon’s activities highlight the persistent and evolving nature of cyber threats in today’s interconnected world.

As this China-based hacking group continues to pose a significant risk to critical infrastructure and national security, a coordinated response from governments, international agencies, and private sector organizations is crucial.

The joint advisory released by multinational cybersecurity agencies serves as a valuable resource in understanding the tactics employed by Volt Typhoon and other similar threat actors. By staying informed and implementing robust cybersecurity measures, we can collectively bolster our defenses against these insidious threats and safeguard our digital infrastructure.

In the digital age, preparedness is not an option; it’s a necessity.

—

Disclaimer: SOFREP utilizes AI for image generation and article research. Occasionally, it’s like handing a chimpanzee the keys to your liquor cabinet. It’s not always perfect and if a mistake is made, we own up to it full stop. In a world where information comes at us in tidal waves, it is an important tool that helps us sift through the brass for live rounds.