China-Backed Volt Typhoon Hackers Suspected of Targeting Australian and UK Government Entities

In a recent revelation, cybersecurity firm SecurityScorecard has identified a new wave of cyber attacks conducted by Chinese state-sponsored hackers targeting government entities in the United States, the United Kingdom, and Australia. The adversaries, believed to be linked to the advanced persistent threat (APT) actor Volt Typhoon, are exploiting old vulnerabilities in Cisco routers, specifically focusing on critical-severity bugs CVE-2019-1653 and CVE-2019-1652.

The targeted vulnerabilities are found in discontinued Cisco small business RV320/325 VPN routers, which have been previously exploited by Chinese hackers and are featured in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

According to SecurityScorecard’s findings, Volt Typhoon has likely compromised a significant portion of the vulnerable devices, with one-third of the observed devices connecting to two IP addresses serving as proxy routers for command-and-control (C&C) communication. This suggests the formation of a Volt Typhoon-linked botnet comprising compromised devices.

Over a 37-day period, SecurityScorecard tracked 325 out of 1,116 devices connecting to the identified IP addresses, raising concerns about the potential scale of the cyber threat. The APT actor is known for targeting small office and home office (SOHO) routers, including those from Cisco and DrayTek, as well as other edge devices like Netgear firewalls and Axis IP cameras, using them for covert data transfers.

By leveraging indicators of compromise (IoCs) from a recent Black Lotus Labs report on Volt Typhoon, SecurityScorecard identified a shift in infrastructure usage between late November 2023 and early January 2024. The cybersecurity firm also discovered a new shell file that infected devices fetched and executed during the observed attacks.

In an extensive technical analysis, SecurityScorecard identified two additional IP addresses associated with previously detailed Volt Typhoon-linked C&C infrastructure. The analysis suggested that a compromised Cisco RV325 router in New Caledonia served as a transit point for Volt Typhoon-related traffic, potentially positioning the APT for global communications targeting.

SecurityScorecard speculates that Volt Typhoon’s historical focus on communications between the Asia-Pacific (APAC) region and the Americas aligns with its exploitation of telecommunications infrastructure on Pacific islands. The cybersecurity firm notes that Volt Typhoon’s intrusions into the networks of telecommunications providers and other critical infrastructure in Guam have attracted attention in previous reporting.

Further examination of the traffic between known Volt Typhoon infrastructure and likely compromised devices led SecurityScorecard to conclude that the APT may operate a much more extensive botnet than previously believed. The analysis revealed connections to the group’s infrastructure from 27 IP addresses hosting 69 government sites in the United States, the United Kingdom, Australia, and India, indicating an expanded targeting scope from Volt Typhoon.

While public reporting on Volt Typhoon had not previously highlighted its targeting of Australian or UK government assets in addition to U.S. ones, SecurityScorecard suggests that such activity aligns with the broader pattern of China-linked APT groups targeting countries involved in the Western alliance system, including those in the Five Eyes and AUKUS alliances.

As the cybersecurity landscape continues to evolve, this latest revelation underscores the persistent and sophisticated nature of state-sponsored cyber threats, highlighting the need for ongoing vigilance and proactive cybersecurity measures to safeguard critical infrastructure and sensitive information.