Volt Typhoon Takedown: FBI Successfully Combats Chinese Cyberattacks on Critical Infrastructure, But Cyber Warfare Is Far From Over

By CHHS Extern Dominique Mendez

Americans rely on critical infrastructure entities such as telecommunications, transportation, energy, water, and wastewater systems. However, these sectors face the constant threat of undetectable cyberattacks capable of causing power outages and communications failures. In May 2023, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigations (FBI) disclosed that “Volt Typhoon,” a People’s Republic of China (PRC) state-sponsored cyber actor, infiltrated the telecommunications, transportation, energy, water, and wastewater sectors using “KV Botnet malware” and remained undetectable in some networks for at least five years. Volt Typhoon targeted Cisco and NetGear routers that are no longer supported by their manufacturer’s security patches or software updates to fix vulnerabilities. The hackers gained access to Operational Technology (OT) and Informational Technology (IT) networks to exfiltrate credentials, ensure access to accounts, and maintain persistence on the network.

One technique Volt Typhoon relied on to infiltrate U.S. critical infrastructure is known as “Living Off The Land” (LOTL). LOTL utilizes built-in network administration tools to infiltrate victim organizations and hide malicious cyber activities from detection by blending Volt Typhoon’s commands with normal Windows systems and network activities. In one instance, the KV Botnet malware that Volt Typhoon transmitted encrypted traffic between infected routers to fabricate the hacker’s location and make it appear as if the hackers were operating directly from the infected router in the U.S. Furthermore, the malware downloaded a virtual private network (VPN) to some infected routers, creating a direct communication channel between the hackers and the victim’s network. The VPN served as an obfuscation technique, enabling hackers to connect to any router as an intermediate computer. This facilitated the hackers’ operational goals of gathering information about the target entity’s network architecture and operational protocols. For example, the hackers obtained initial access to an entity in the Water and Wastewater Systems sector by connecting to the network via a VPN with administrator credentials and preformed discovery, collection, and exfiltration of data. In this case, Volt Typhoon had access to water treatment plans, water wells, electrical substations, OT Systems, and network security systems. Once Volt Typhoon gains access to OT systems, the hackers can disrupt energy and water controls, access camera surveillance systems, cause failures in telecommunication and transportation systems, and manipulate heating, ventilation, and air cooling (HVAC) systems in server rooms. With full access to critical infrastructure OT networks, Volt Typhoon had the opportunity to disrupt critical infrastructure functions in the event of geopolitical tensions and/or military conflict in the Asia-Pacific region.

Fortunately, the FBI dismantled KV Botnet malware from infected routers nationwide. The FBI conducted a criminal investigation into Volt Typhoon’s violation of the Computer Frauds and Abuse Act, 18 U.S.C. § 1030(a)(5), where the hackers knowingly accessed a protected computer without authorization and caused the transmission of a program, information, code, or command, intentionally damaging the protected computer. On December 20, 2023, a U.S. magistrate judge granted a search warrant permitting the FBI to remotely access and search U.S.-based compromised routers and seize KV Botnet malware from each router. The FBI utilized the Botnet’s own communication protocols and simultaneously issued commands to each infected router, interfering with the hackers’ controls, halting the Botnet’s VPN process, and effectively deleting the malware on infected devices. The U.S. government has not made any arrests or issued indictments. However, FBI Director, Christopher Wray, emphasized concerns regarding the PRC’s hacking abilities at the Munich Cyber Security Conference last month:

“the Chinese government [] has continued to attack the economic security, national security, and sovereignty of rule-of-law nations worldwide. The cyber threat posed by the Chinese government is massive [and] is made even more harmful by the way the Chinese government combines cyber means with traditional espionage and economic espionage, foreign malign influence, election interference, and transnational repression. In other words, [China] is throwing its whole government at undermining the security of the rule-of-law world. It’s hitting us indiscriminately. Today, China’s increasing buildout of offensive weapons within our critical infrastructure, is poised to attack whenever Beijing decides the time is right.”

Although the FBI successfully discontinued Volt Typhoon’s operations, critical infrastructure sectors must continue taking steps to mitigate impending cyberattacks. CISA and the NSA released detailed recommendations to detect hackers on IT networks. CISA suggests critical infrastructure sectors should implement the following baseline protections:

  • Hardening Volt Typhoon’s Attack Surfaces:
    • Apply patches for internet-facing systems and prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon (i.e. routers reaching end-of-life status).
    • Use third-party assessments to validate current system network security compliance.
    • Limit internet exposure of systems when necessary.
    • Maintain and regularly update inventory of all organizational IT assets.
  • Reinforcing Security Measures for Credentials and Accounts:
    • Implement phishing-resistant multifactor authentication (MFA) and roll NTLM hashes of accounts that support token-based authentication.
    • Separate user and privileged accounts, consider using privileged access management (PAM) solution with role-based access control (RBAC).
    • Regularly audit all user, admin, and service accounts.
    • Use CISA’s SCuBAGear tool to discover cloud misconfigurations.
  • Securing Remote Access Services:
    • Disable server message block (SMB) protocol version 1 and upgrade to version 3 (SMBv3).
  • Implementing Routine Preventative Measures:
    • Ensure logging is turned on for application, access, and security logs and store longs in a central system.
    • Store logs in a central system which can only be accessed or modified by authorized, authenticated users.
    • Establish and continuously maintain a baseline of installed tools, software, account behavior, and network traffic.
    • Document a list of threats and cyber actors’ primary tactics, techniques, and procedures (TTP) relevant to your sector.
    • Implement periodic security training for all employees and contractors.

U.S. critical infrastructure remains vulnerable to cyberattacks. CISA’s recommendations can reduce prevailing cyber threats to infrastructure sectors and help disrupt Volt Typhoon and other malicious cyber actors from accessing critical infrastructure technologies. Cyberwarfare is just beginning. The U.S. and its allies must prepare for a rise in cyberattacks originating from authoritarian states such as the PRC, Iran, Russia, and North Korea.