The Chinese state-sponsored hacker group known as Volt Typhoon has been actively targeting critical infrastructure worldwide, leveraging vulnerabilities in Cisco and NetGear routers to infiltrate organizations.
This group, also known by aliases such as Bronze Silhouette and Vanguard Panda, is believed to operate on behalf of the Chinese government, focusing on espionage, information theft, and intelligence gathering.
Exploitation Techniques and Targets
Volt Typhoon employs sophisticated techniques to breach networks.
They use credential harvesting, custom malware implants, spear-phishing, and exploit vulnerabilities in various devices, including Cisco and NetGear routers.
The group targets a wide range of countries, including the United States, the United Kingdom, Canada, India, Japan, Germany, Taiwan, South Korea, New Zealand, Australia, the Philippines, Malaysia, and Vietnam.
Recently, they have exploited vulnerabilities such as CVE-2022-42475, CVE-2024-21887, CVE-2023-46805, and CVE-2021-40539 to gain access to critical systems.
Volt Typhoon’s tactics involve using valid accounts to gain initial access, often acquired through phishing or brute-forcing weak passwords on SOHO routers like the Cisco RV320/325 and Netgear ProSafe.
According to Cyfirma Report, they exploit vulnerabilities in Fortinet FortiGuard and Versa Networks SD-WAN to infiltrate critical infrastructure networks.
Once inside, they use living off the land (LOTL) techniques, leveraging native tools like PowerShell and Bash to execute commands without deploying custom malware, making detection challenging.
Persistence and Impact
The group maintains persistence by creating scheduled tasks or cron jobs to ensure continued access even after system reboots.
Compromised SOHO routers serve as “silent bridges” for command-and-control (C2) infrastructure, allowing them to rapidly rebuild botnets after disruptions.
Volt Typhoon also exploits unpatched vulnerabilities in legacy systems to escalate privileges, gaining domain admin rights and extracting Active Directory credentials.
In recent campaigns, Volt Typhoon has demonstrated remarkable resilience by swiftly rebuilding its infrastructure following a major FBI-led takedown in December 2023.
The group compromised a significant number of Cisco RV320/325 routers, using them as covert relay nodes.
Additionally, they exploited a zero-day vulnerability in Versa Networks SD-WAN, targeting IT, MSP, and ISP sectors to enable large-scale supply chain compromises.
This strategic targeting aligns with China’s geopolitical interests, focusing on sectors vital to U.S. and allied stability, such as energy grids and telecommunications.
