Volt Typhoon, a Chinese state-sponsored hacking group previously believed to have been curtailed by Western cyber defenses, has reemerged with a more advanced strategy aimed at infiltrating critical infrastructure worldwide, according to findings released Tuesday.
SecurityScorecard’s STRIKE Team report reveals that the hacking collective has shifted tactics, exploiting vulnerabilities in outdated routers at government and industrial facilities. This approach enables them to create a covert global network of compromised devices, or botnets, which they use as entry points to infiltrate critical infrastructure, including electric grids, pipelines, and water systems.
Officials report that Volt Typhoon is infiltrating critical infrastructure with the intent to disable or sabotage underlying technologies if Western allies engage in military conflict with China. Such actions could cause severe disruptions to power, communications, and other essential services. In August, Beijing-backed cyberspies were discovered embedded within the systems of several U.S. internet service providers.
The STRIKE Team has now uncovered that Volt Typhoon is using its original infrastructure and tactics in an enhanced, more sophisticated version of its botnet. This aligns with recent reports on the group’s activity; Bloomberg News reported this month that the hackers breached Singapore’s Singtel telecommunications carrier over the summer.
Unlike typical cyber intruders who retreat once detected, Volt Typhoon strengthens its foothold within compromised networks. According to SecurityScorecard, the group has adapted its tactics, specifically targeting outdated Cisco and Netgear ProSafe routers to build a concealed botnet spanning multiple countries.
These end-of-life devices—older equipment that manufacturers no longer prioritize for essential security updates—serve as entry points, allowing the hackers to quickly infiltrate systems. In just over a month, the botnet compromised 30% of visible Cisco RV320/325 routers, facilitating a surprisingly rapid spread, according to STRIKE’s assessment.
Since its discovery, Volt Typhoon’s botnet infrastructure has expanded across multiple countries, with command-and-control servers identified in the Netherlands, Latvia, and Germany.
More recently, the hacking collective has established a VPN hub in New Caledonia, a remote island in the Pacific, to broaden its reach. According to STRIKE, this hub serves as a “silent bridge” for traffic between the Asia-Pacific region and the Americas, bypassing regional detection systems and allowing seamless communication among operatives within the botnet.
Volt Typhoon’s focus on outdated routers underscores a widespread vulnerability in global critical infrastructure. Organizations in sectors like energy frequently depend on aging systems and third-party vendors, which the hackers exploit to quietly establish access.
The U.S. and allied nations have made efforts to curb cyberspy activities, including a takedown operation in January that dismantled a cluster of compromised internet equipment used by the group to penetrate American infrastructure. However, officials reported recently that Volt Typhoon has established multiple botnet staging grounds, making it nearly impossible for Western efforts to fully dismantle their operational network.
The cyberspies employ “living off the land” techniques, allowing them to blend into systems and avoid detection, according to intelligence reports. By using stolen administrator credentials, the group can conceal their actions and evade discovery more easily.
The STRIKE Team’s report states that Volt Typhoon remains hidden through specialized malware, allowing operatives to blend into regular network traffic. This malware also facilitates stealthy communication, making it challenging for even skilled cybersecurity teams to detect any unusual activity.
The Chinese government has strongly denied any involvement in overseeing Volt Typhoon, despite widespread attribution from Western nations and private sector partners. In late July, Beijing’s National Computer Virus Emergency Response Center released a paper, full of inaccuracies, claiming that Volt Typhoon was a fabricated disinformation campaign designed to exaggerate cyber threats from China.
Related article: FBI, CISA, NSA, and National Cyber Director testify before Congress about Chinese hackers
Top cyber officials of the United States testified before the U.S. Congress in Washington D.C. on January 31 about the most pressing threats posed by Chinese hackers to U.S. critical infrastructure and American citizens.
Speakers at the hearing included the Federal Bureau of Investigation (FBI) Director Christopher Wray, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, General Paul Nakasone, who serves concurrently as the National Security Agency (NSA) director and the commander of U.S. Cyber Command, and National Cyber Director Harry Coker Jr.
In his opening statement, Director Wray said, “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.” According to the FBI, China is targeting American critical infrastructure for the “sole purpose of disabling and destroying critical infrastructure in the event of a conflict—a conflict over Taiwan for example.” READ MORE
