Hack back: US disconnects Volt Typhoon

"This actor is not doing the quiet intelligence collection and theft of secrets... they can disrupt major services if, and when, the order comes down,"

The US government has taken down the infrastructure being used by Chinese state-sponsored hacker group Volt Typhoon in an unusually public "hack back" after the group targed critical infrastructure.

The Biden administration has been running an operation to remotely disable aspects of the Chinese hacking campaign, according to Reuters, amid concern that the group could "remotely disrupt important facilities in the Indo-Pacific region that in some form support or service U.S. military operations."

It comes eight months after CISA published an advisory highlighting a cluster of "activity of interest" from the hacker group, which has since evolved its tactics and targets.

That advisory – published together with other Five Eyes agencies – disclosed that Volt Typhoon had successfully breached CNI in a “hands-on-keyboard” campaign that made extensive use of living off the land techniques.

See also: Chinese state-backed “Volt Typhoon” hackers breached US critical infrastructure

The risk to critical infrastructure including naval ports, internet service providers and utilities caused particular alarm amongst agencies.

Reuters notes that the US government has increased its focus on hacking due to fears that there may be external interference in the upcoming Presidential elections.

The sentiment that Volt Typhoon deviates from regular espionage actions and that Chinese state-backed cyber actors are growing more dangerous were echoed by John Hultquist, Chief Analyst at Mandiant Intelligence.

"This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the US. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down," said Hultquist this week.

Concern about Volt Typhoon has come amidst growing tensions between Taiwan and China, which has led to fears of a cyber war.

Speaking to POLITICO in October 2023, White House official and Deputy National Secretary for cyber and emerging technologies Anne Neuberger said that both Taiwan and the US were bracing for impact.

“From President Tsai [Ing-wen] on down, they’re very focused on increasing the cybersecurity and digital resilience of Taiwan,” said Neuberger.

The 2023 attack appears to have begun with the breach of internet-facing Fortinet FortiGuard devices, with the group channelling its command and control (C2) traffic through a network of compromised routers, firewalls, and VPN hardware from a wide range of providers including ASUS, Cisco, D-Link, NETGEAR, and Zyxel.

The group has been active since mid-2021, according to a Microsoft Threat Intelligence team report. The group's activities had been noted by private sector players as well, with the Five Eyes agencies concluding that Volt Typhoon operates by living off the land and using built-in network administration tools to achieve their objectives. This also allows the actor to evade end point detection and response tools.

The National Security Agency has previously stated that Volt Typhoon used Earthworm and a custom Fast Reverse Proxy (FRP) client with hardcoded C2 callbacks [T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to: cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe.

Get the latest episodes directly in your inbox