Critical Infrastructure Security, MSSP

FBI Blocks Chinese Threat Actors Menacing U.S. Critical Infrastructure

Chinese hacker attacks America. China vs USA. East versus West. Information war of two nations.

The Federal Bureau of Investigation (FBI) has shut down the China-sponsored Volt Typhoon threat syndicate that has been prepping attacks on U.S. cyber infrastructure, director Christopher Wray said in remarks at a recent U.S. House of Representatives committee hearing.

“Working with our partners, the FBI ran a court-authorized, on-network operation to shut down Volt Typhoon and the access it enabled,” Wray said.

Secret Operation Targets Volt

The Volt action adds to a number of offensive maneuvers that the FBI and the Department of Justice have undertaken to push back on cyber crime groups, particularly those that have constructed botnets to widen their reach and impact. For example, last September the FBI and international partners dismantled the notorious, prolific Qakbot botnet network and malware.

In the Volt instance, the FBI and the Justice Department have been conducting a months-long secret operation to deconstruct the cyber attackers’ underpinnings. Reuters and other outlets reported that the attacks have led to a “series of meetings” between the White House and private industry, including “several communications” between telecommunications firms and cloud computing companies where U.S. intelligence brass has requested help in tracking Volt’s movements.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities,” Wray said. “If or when China decides the time has come to strike, they’re not focused solely on political or military targets. We can see from where they position themselves, across civilian infrastructure, that low blows aren’t just a possibility in the event of a conflict. Low blows against civilians are part of China’s plan,” he said.

Both agencies received legal authorization to dismantle the Chinese hacking campaign, which is built on a botnet of internet-facing devices and consumer equipment, such as routers and modems, reports said.

According to the Justice Department, the vast majority of the hundreds of privately-owned routers infected with the KV malware used by Volt were privately-owned Cisco and Netgear devices that had reached out-of-life status. Those compromised routers, which were typically set up in small office or home office (SOHO) environments, were no longer supported by either vendor’s security patches or software updates, making them especially vulnerable targets.

U.S. law enforcement deleted the KV Botnet malware from the routers and took "additional steps to sever their connection to the botnet," including blocking communications with other devices used to control the botnet, Justice said. Ahead of launching the operation, the government "extensively tested" it on the relevant Cisco and NetGear routers, the agency said.

The Chinese threat actors have been burrowing into U.S. critical infrastructure facilities, ranging from telecommunications to transportation networks in a widespread espionage campaign, according to Microsoft and Western intelligence allies, which first reported the activity in May, 2023.

Inasmuch as managed security service providers (MSSPs) support infrastructure operators and owners, Volt’s activities should at the least be noted.

The hackers are believed to have expanded their operations to a wider swath of critical infrastructure installations and perhaps to U.S. political activities as well. There is concern in the Biden Administration that Volt and other hacking syndicates will try to disrupt the November 2024 elections and also further zero in on the country’s business community.

Victims Pay $1.3 Million in Ransom Already in '24

Ransomware attacks have regularly hit the public and private sector, with attacks now a regular occurrence. Ransomwhere, an open, crowd-sourced site that tracks ransomware payments, reports that so far this year victims have coughed up roughly $1.3 million.

In May 2023, Microsoft said in a blog post that it is moderately confident that the Volt operatives are seeking to develop capabilities to disrupt critical communications and other vital infrastructure connections between the U.S. and Asia should a cyber crisis break out in the future.

Although Volt is believed to have been active for three years, little is known about their activities and capabilities. Experts believe the group is behind critical infrastructure attacks on multiple industries, including key sectors such as communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education.

Volt’s hacking has stepped up as U.S. security forces have steadily moved to shore up critical infrastructure defenses in response to escalating geopolitical tensions over China's sword-rattling on the sovereignty of Taiwan.

Indeed, Volt’s past targets have included sites in Guam, where the U.S. has a major military presence, Microsoft said in the blog post. The vendor’s security arm believes that the attacks, which appear to be preparatory espionage rather than all out disruptive, are focused mainly on reconnaissance.

Chris Anthony, TeamWorx Security chief executive, said that conflicts throughout the world are giving cyber attackers new attack surfaces.

"The increased attention on the conflict throughout the world, the start of a prominent election year, and tensions rising between the United States and Asian nations, particularly Russia and China due to both active or pending invasions, are providing anti-Western cyber threat actors with new vectors on which to attack," he said.

"The motives of state-sponsored hacking groups tend to revolve around encouraging unrest and chaos, conducting espionage to steal military or political information, or as an act of cyber warfare. Chinese-sponsored actors are likely looking to take a page out of Russia’s book...," Anthony said. "I would not be surprised if they are deploying similar techniques to sneak into networks and systems. They often will go undetected and sit quietly, waiting for the ‘perfect moment’ to strike."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.