Volt Typhoon botnet shut down by US authorities (FBI)

Sicherheit (Pexels, allgemeine Nutzung)[German]The US government has just announced that the Volt Typhoon spy and botnet network has been shut down by remote commands. This network, attributed to China, infiltrates routers and aims to be able to shut down critical infrastructure in the event of an incident. FBI and other authorities received a warrant to remove the malware from infected devices.


The Volt Typhoon botnet

The information was published by the US government on January 31, 2024 – the following tweet refers to this fact. The accusation made in the tweet: China is targeting critical infrastructure in the USA and other allies with the Volt Typhoon malware. According to US government officials (see Wall Street Journal, WSJ), Beijing is preparing to launch potentially damaging cyberattacks in future conflicts, including over Taiwan.

The Volt Typhoon botnet is said to have infected and hijacked hundreds of routers. The botnet was then used to covertly attack critical infrastructure networks of the US and its allies. The botnet activities discovered so far, which are attributed to China, are "probably just the tip of the iceberg", it says.

John Hultquist, Chief Analyst, Mandiant Intelligence – Google Cloud, wrote to me in a statement:

"This actor is not engaging in silent intelligence gathering and theft of secrets, as is common in the US. Instead, it is probing sensitive critical infrastructure to disrupt critical services if and when ordered to do so."

Sandra Joyce, VP of Intelligence at Mandiant, is saying the following:


"Volt Typhoon focuses on targeting critical infrastructure, such as water treatment plants, power grids and so on. By flying under the radar, the actor works hard to reduce traces that allow us to track their activities across the networks.

The group uses compromised systems to gain undetected access to normal network activity, constantly changing the source of their activity. It avoids using malware as this could trigger an alarm and give us something tangible.

Tracking such activities is extremely difficult, but not impossible. Mandiant and Google are focused on staying one step ahead of the actor, working closely with customers and partners.

This is not the first time that critical US infrastructure has been attacked in this way. On several occasions, Russian intelligence actors have been discovered in the midst of similar operations that were eventually exposed. Such operations are dangerous and sophisticated, but not impossible.

The purpose of Volt Typhoon was to prepare undetected for a contingency. Fortunately, Volt Typhoon has not gone unnoticed, and even though the hunt is challenging, we are adapting to improve intelligence gathering and thwart [actions] of these actor[s]. We anticipate their moves, we know how to identify them, and most importantly, we know how to harden the networks they target."

The Wall Street Journal writes that senior U.S. officials described the operation in unusually blunt terms as part of an evolving and increasingly worrisome campaign by Beijing to gain a foothold in U.S. computer networks responsible for everything from safe drinking water to air travel so that it could launch damaging cyberattacks in the blink of an eye in a future conflict, including over Taiwan.

Botnet on routers shut down

The US Department of Justice and the FBI took action in December 2023 after receiving court authorization to take down a botnet, or network of hacked devices. Infected routers were cleaned of the malware infection by cutting the connection to the malware control servers and then installing a pre-prepared software on the devices. This cleaned up the infection and prevented re-infection.

Device owners were not informed in advance of the FBI's operation on the routers because the agency wanted to address the problem urgently, FBI representatives say. The Volt Typhoon botnet consisted of infected small office and home office (SOHO) routers. The majority of these devices were Cisco and Netgear routers that had reached their end-of-life and were no longer receiving firmware security updates.

A technical analysis can be found at Lumen. There are the affected router models named.

The infected routers were not necessarily connected to the critical infrastructure networks targeted by the hackers, US government officials said. Rather, they were nodes used to hide their malicious activity from easy detection.

More information can be found at the WSJ in this article. Bleeping Computer writes here that the US CISA is calling on manufacturers to secure more against Volt Typhoon attacks.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *