Stealthy new botnet targets VPN devices and routers while staying disguised

A robot hand touching a locked digital shield blocking a human from accessing data
(Image credit: Blue Planet Studio/Shutterstock)

The US Government, together with several other countries, has issued a joint Cybersecurity Advisory notice warning of malicious work being carried out by a state-sponsored Chinese cyber actor known as Volt Typhoon.

The Chinese group has been observed targeting US critical infrastructure sectors, and other countries are believed to be at risk.

In fact, the attack uncovered by Microsoft earlier this year has captured the attention not only of the NSA, CISA, and FBI of the United States, but also officials in Australia, Canada, New Zealand, and the UK.

Chinese group stealthily targeting routers

According to Microsoft, the group, which has only been active since 2021, has previously targeted critical infrastructure on the Micronesian island Guam in the Western Pacific, which is an unincorporated territory of the US, as well as other American regions.

This particular campaign looks not to be especially focused, with sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education all under threat.

Volt Typhoon uses built-in network administration tools, otherwise known as living off the land, to evade endpoint detection by blending in with normal Windows system and network activities.

Microsoft summarized the steps: “They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”

The threat actor was also noted to be blending into normal network activity by routing its traffic through compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN devices.

The security notice suggests that organizations harden domain controllers and monitor event logs, look for abnormal account activity, and investigate unusual IP addresses. Full details of the attack and mitigations can be found on the US Department of Defense’s website.

More from TechRadar Pro

Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!