What is Volt Typhoon, the alleged China-backed hacking group?

Networks controlled by a pervasive Chinese hacking group dubbed “Volt Typhoon” have been disrupted by a US government operation, Reuters exclusively reported on Monday, January 29.

The group has alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities, raising concerns that the hackers were working to hurt US readiness in case of a Chinese invasion of Taiwan.

Here is what is known about Volt Typhoon and its potential threat:

‘Future crises’

Nearly every country in the world uses hackers to gather intelligence. Major powers like the United States and Russia have large stables of such groups – many of which have been given colorful nicknames by cybersecurity experts, such as “Equation Group” or “Fancy Bear.”

Experts begin to worry when such groups turn their attention from intelligence gathering to digital sabotage. So when Microsoft said in a blog post in May last year that Volt Typhoon was “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” it immediately brought to mind escalating tensions between China and the United States over Taiwan. Any conflict between those two countries would almost certainly involve cyberattacks across the Pacific.

Taiwan botnet

Does this mean a group of destructive hackers is preparing to sabotage US infrastructure in the event of a conflict over Taiwan?

Microsoft qualified its assessment last year as “moderate confidence,” intelligence jargon that typically means a theory is plausible and credibly sourced but has yet to be fully corroborated. Different researchers have identified various aspects of the group.

It is now clear that Volt Typhoon has functioned by taking control of swathes of vulnerable digital devices around the world – such as routers, modems, and even internet-connected security cameras – to hide later, downstream attacks into more sensitive targets. This constellation of remotely controlled systems, known as a botnet, is of primary concern to security officials because they limit the visibility of cyber defenders that monitor for foreign footprints in their computer networks.

In a report earlier this month, cybersecurity ratings firm SecurityScorecard said Cisco Systems devices were particularly vulnerable to Volt Typhoon’s activity. The firm said it had identified a “network of covert infrastructure operating in Europe, North America, and Asia Pacific that appears to be composed of compromised routers and other network edge devices.”

Stealthy storm

Nearly all cyber spies work to cover their tracks. The use of so-called botnets by both government and criminal hackers to launder their cyber operations is not new. The approach is often used when an attacker wants to quickly target numerous victims simultaneously or seeks to hide their origins.

China routinely denies hacking and has done so in the case of Volt Typhoon. But documentation of Beijing’s cyberespionage campaigns has been building for more than two decades. The spying has come into sharp focus over the past 10 years as Western researchers tied breaches to specific units within the People’s Liberation Army, and US law enforcement charged a string of Chinese officers with stealing American secrets.

Secureworks, an arm of Dell Technologies, said in a blog post last year that Volt Typhoon’s interest in operational security likely stemmed from embarrassment over the drumbeat of US indictments and “increased pressure from (Chinese) leadership to avoid public scrutiny of its cyberespionage activity.”

The Biden administration has increasingly focused on hacking, not only for fear nation states may try to disrupt the US election in November, but because ransomware wreaked havoc on Corporate America in 2023. – Rappler.com