Volt Typhoon Attacks: Chinese Nation-Backed Actors Focus Malicious Efforts at the US Critical Infrastructure

State-sponsored hackers acting on behalf of the Beijing government have been organizing offensive operations aimed at collecting intelligence and launching destructive campaigns against the US and global organizations for years, with multiple observed attacks being related to such groups as Mustang Panda or APT41.

The latest joint alert by the intelligence agencies of the US, UK, Australia, New Zealand, and Canada warns that another Chinese APT group dubbed Volt Typhoon (aka Vanguard Panda, BRONZE SILHOUETTE) has set its eyes on the US critical infrastructure. The state-sponsored actors have made their way to the critical infrastructure of the United States, maintaining access for half a decade and planning a set of destructive operations. Particularly, adversaries leveraged a set of security gaps affecting SOHO routers, firewalls, and VPNs to establish an initial foothold in the targeted networks and proceed with malicious activity.

Detect Volt Typhoon Attacks

The increasing menace posed by nation-state actors continuously intensifies with new tactics, techniques, and procedures added to the adversary toolkit. Cybersecurity professionals should constantly keep a finger on the pulse of new malicious tricks to secure the organizational infrastructure and detect possible attacks at the earliest stages of development. SOC Prime Platform offers a set of advanced tools to take your threat hunting efforts to the next level and always keep defense up-to-date. 

Detect the malicious activity linked to the Volt Typhoon operations using a set of curated detection algorithms in the SOC Prime Platform. All detections are compatible with 25+ SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework v14 to help security professionals streamline the investigation.

Hit the Explore Detections button below to immediately drill down to a detection content bundle aimed at detecting covert Volt Typhoon attacks. To simplify the content search, SOC Prime supports filtering by custom tags “AA24-038A,” “Volt Typhoon,” “Vanguard Panda,” “BRONZE SILHOUETTE,” “Dev-0391,” “UNC3236,” “Voltzite,” and “Insidious Taurus”  based on the CISA alert and hacking collective identifiers.

Explore Detections

Analyzing Hacking Group Volt Typhoon Attacks Covered in AA24-038A CISA Cybersecurity Advisory

On February 7, 2024, CISA, NSA, and FBI, in conjunction with other international intelligence agencies, issued AA24-038A advisory warning of a long-lasting operation by Volt Typhoon APT. Nation-state adversaries have leveraged a botnet consisting of SOHO routers to penetrate the networks of multiple organizations within communication, energy, transportation, and other US critical infrastructure sectors. According to federal cybersecurity experts, Volt Typhon is primarily aimed at destructive operations rather than cyber espionage, establishing access to the networks to move laterally across the environments and potentially disrupt the OT assets. Apart from the main focus on the US, experts assume that Canadian, Australian, and New Zealand organizations might also be affected. 

Notably, the latest Volt Typhoon attacks might be connected to the KV-botnet malware linked to the Beijing-backed hackers and revealed in December 2023. This malware has been used to hijack routers and VPN devices, shaping a powerful botnet under the control of Chinese hackers.

Volt Typhoon has been performing its offensive operations in the cyber threat arena since 2021, mainly targeting critical infrastructure in Guam and other parts of the U.S. across multiple industry sectors. The identified behavior patterns reveal the attacker’s objectives related to cyber-espionage activity and their focus on maintaining stealth and persistence. To fly under the radar, Volt Typhon massively relies on living-off-the-land tactics, exploits valid accounts, and keeps enhanced operation security. Due to this approach, hackers managed to stay unnoticed inside the targeted networks for over five years in some cases, covertly proceeding with the malicious activity. 

In view of the increasing sophistication of Chinese adversary capabilities supported by the country’s government over the last half-decade, China is highly likely to strengthen its position in the cyber front by enhancing its cyber warfare and expanding the scope of attacks. Rely on SOC Prime and reach over 500+ curated detection algorithms against current and emerging APT attacks of any scope and scale to continuously reinforce your cyber resilience.