Chinese flag on circuit board showing Chinese hacking group target critical infrastructure

Chinese Hacking Group That Targeted Critical Infrastructure Disrupted, Booted From Compromised Devices

A botnet used by a state-backed Chinese hacking group has lost at least some of its capacity, according to security officials that spoke to Reuters anonymously. “Volt Typhoon” began making news in May of 2023 when a Microsoft report accused the group of “living off the land” in military facilities and the utilities that support them, with the apparent longer-term objective of causing disruption to critical infrastructure should military conflict in Taiwan take place.

The Chinese hacking group reportedly changed up its tools and tactics after it was exposed by the Microsoft report in May, something that had prompted a flurry of US government activity to ensure national security. For its part China has claimed that the whole Volt Typhoon story is a disinformation campaign conducted by the US and its “Five Eyes” intelligence partners. The group has been known to target peripheral devices, such as routers and security cameras, that have known vulnerabilities; it appears they have now been evicted from an unspecified number of these devices.

Chinese hacking group prompted concerns about electrical grid shutdowns

Though public awareness of the extent of the Chinese hacking group’s activities is less than a year old, the group has been targeting US critical infrastructure since at least mid-2021. The Microsoft report prompted the US Department of Justice and the FBI to seek authorization to “hack back” against the group’s botnet and disable components, something that has apparently been happening over the past few months.

The main thrust of the Chinese hacking group’s operations is to compromise vulnerable devices that in turn provide a path into the networks of utility companies and internet service providers that support military facilities that would come into play if an armed conflict was ignited in the Pacific. The group has also reportedly targeted whatever military installations it could find vulnerabilities in, such as naval ports, and may have also infiltrated US mainland critical infrastructure targets with the intent of causing more generalized chaos to reduce public support for military action.

The Chinese hacking group uses a variety of techniques to maintain a long-term presence in target networks without being detected. It very rarely uses malware, preferring to target vulnerable login credentials or exploit documented vulnerabilities in internet-connected devices that have not been (or cannot be) patched. Once in a network, it uses compromised small office and home office network devices to make its traffic look more natural and evade suspicion.

A December 2023 report from Lumen identified the Chinese hacking group as using a unique botnet, called the “KV-Botnet,” as its means of command-and-control for attacks. This botnet was assessed as being made up mostly of compromised legacy routers with known vulnerabilities, from a variety of manufacturers. A report from SecurityScorecard’s threat intelligence team that was issued three weeks ago finds that the group is heavily targeting old Cisco RV320 routers that are still in use. These devices have been known to have multiple web-based management interface vulnerabilities since early 2019 and are not entirely patchable nor have known remediation techniques that make them completely secure.

Critical infrastructure disruptions could be possible during a Taiwan war

It is unclear exactly how much of the botnet has been crippled by US actions thus far. In an early December report, security firm Black Lotus Labs called the botnet “unkillable” and estimated that it was made up of hundreds of end-of-life router models that will never be properly secured. The report also found that the Chinese hacking group was targeting Axis IP cameras, which had six new vulnerabilities appear in August 2023 in addition to longer-term issues with required password strength and lack of any defense against brute force attacks.

Part of the attribution of all these activities to the Chinese hacking group is the fact that they are not being observed doing “traditional” cyber crime activities when they launch attacks. They are not double-dipping on espionage, seemingly focusing only on probing critical infrastructure for vulnerabilities and finding ways to disrupt it.

The incident highlights the continuing utility that threat actors extract from legacy devices that simply can no longer be secured properly. Though Volt Typhoon is thought to be a sophisticated state-supported threat group, the best defense against them appears to simply be identifying badly outdated devices with documented vulnerabilities and replacing them. Part of the problem is a continuing perception, particularly among less cybersecurity-minded elements of organizations, that devices like a security camera facing a public area aren’t a serious threat or worth added expense to secure. Not all organizations are thinking about critical infrastructure security, but any could potentially be used as a piece of an attack attempt against it.

Anton Shipulin, industrial cybersecurity evangelist at Nozomi Networks, additionally notes that the US declaration of an operation that did not appear to put the Chinese hacking group out of business is an unusual development: “In recent years, we have witnessed an increasing number of cases where the national authorities of certain countries directly state their involvement in cyber operations against hacking groups and other government structures, rather than doing so through proxy adversary groups. This shift suggests that cyber operations are becoming less clandestine than they used to be. However, from an international and diplomatic standpoint, public statements about offensive cyber operations are more likely to create problems. This remains largely theoretical, as there are currently no established mechanisms in place to effectively respond to such declarations.”