Volt Typhoon is a state-sponsored Chinese hacker group. The United States government and its key global intelligence partners, known as the Five Eyes, issued a warning on March 19, 2024, about the group’s activity targeting critical infrastructure.
The warning reflects analysis by the cybersecurity community about China’s state-sponsored hacking in recent years. Like many cyber attacks and attackers, Volt Typhoon has many aliases and is also known as Vanguard Panda, Bronze Shadow, Dev-0391, UNC3236, Voltzite and Insidious Taurus. After these latest warnings, China again denied that it was engaging in aggressive cyber espionage.
Thousands of devices around the world are at risk from Volt Typhoon since it was publicly identified by security analysts at Microsoft in May 2023. However, some analysts in both the government and cybersecurity community believe that the group is targeting infrastructure from mid 2021, and maybe a lot. longer.
Volt Typhoon uses malicious software that compromises internet-connected systems by exploiting vulnerabilities such as weak administrator passwords, factory default logins and devices that are not regularly updated. The hackers have targeted communications, energy, transportation, water and wastewater systems in the United States and its territories, such as Guam.
In many ways, Volt Typhoon operates similarly to traditional botnet operators that have been disrupting the internet for years. It takes control of vulnerable internet devices such as routers and security cameras to hide and establish a beachhead before using that system to launch future attacks.
Working this way makes it difficult for cybersecurity defenders to accurately identify the source of the attack. Worse, defendants could accidentally retaliate against a third party unaware that they are caught in the Volt Typhoon botnet.
Why Volta Typhoon matters
Disruption of critical infrastructure could cause economic damage worldwide. Operation Volt Typhoon also poses a threat to the US military by disrupting power and water to critical military facilities and supply chains.
Microsoft’s 2023 report noted that Typhoon Volt “could disrupt critical communications infrastructure between the United States and the Asian region during future crises.” The March 2024 report, published by the Cybersecurity and Infrastructure Security Agency in the United States, also warned that the botnet “could lead to disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies.”
The existence of Typhoon Volt and the rising tensions between China and the US, particularly over Taiwan, represent the latest link between global events and cyber security.
Defending against Volta Typhoon
The FBI reported on January 31, 2024, that it had disrupted Volt Typhoon’s operations by removing the group’s malware from hundreds of small office/home routers. However, the United States is still determining the extent of the group’s infiltration of critical American infrastructure.
On March 25, 2024, the United States and the UK announced that they had imposed sanctions on Chinese hackers involved in compromising their infrastructure. And other countries, including New Zealand, have traced cyber attacks back to China in recent years.
All organizations, especially infrastructure providers, must practice time-tested secure computing focused on preparation, detection and response. They need to ensure that their information systems and smart devices are properly configured and patched, and can log activity. And they should identify and replace any devices at the edges of their networks, such as routers and firewalls, that are no longer supported by their vendor.
Organizations can also implement strong user authentication measures, such as multi-factor authentication to make it more difficult for attackers like Volta Typhoon to compromise systems and devices. More broadly, NIST’s comprehensive Cybersecurity Framework can help these organizations develop a stronger cybersecurity posture to defend against Volta Typhoon and other attackers.
Individuals, too, can take steps to protect themselves and their employers by ensuring their devices are properly updated, enabling multi-factor authentication, never using passwords, and otherwise staying vigilant others regarding suspicious activity on their accounts, devices and networks.
For cybersecurity practitioners and society at large, attacks such as Volta Typhoon can pose a huge threat to geopolitical cybersecurity. They are a reminder for everyone to monitor what is going on around the world and to consider the impact of current events on the confidentiality, integrity and availability of all things digital.
This article is republished from The Conversation, a non-profit, independent news organization that brings you facts and analysis to help you make sense of our complex world.
Written by: Richard Forno, University of Maryland, Baltimore County.
Read more:
Richard Forno has received cybersecurity-related research funding from the National Science Foundation (NSF) and the Department of Defense (DOD) throughout his academic career.