Chinese hacking group Volt Typhoon Lurks in US Infrastructure for Years

According to a joint warning issued on February 7th by the United States Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), the Chinese hacking group Volt Typhoon, also known as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite, has infiltrated certain networks of the country’s critical infrastructure for no less than five years.

The malefactors targeted sectors such as communications, energy, transportation, water supply, and sewer systems in the US and on the island of Guam. Their activities did not align with traditional cyber espionage and data collection goals. With a high degree of confidence, it can be stated that the Volt Typhoon was laying the groundwork for potential sabotage operations.

One of Volt Typhoon’s distinctive tactics is the use of proxy servers to conceal their true location. Hackers compromise routers and firewalls in the US and route malicious traffic through them.

The group’s primary goal is to establish a long-term presence in the hacked networks. Over several years, they methodically expand their foothold, periodically stealing credentials to access current accounts. Additionally, hackers actively exploit vulnerabilities to elevate privileges and gain complete control over domains.

According to last year’s CrowdStrike report, the Chinese hacking group Volt Typhoon conducts extensive preliminary reconnaissance to study the target organization and its environment. They then tailor their tools and methods to the specific infrastructure of the victim and dedicate significant resources to maintaining a covert presence.

It’s noteworthy that the group focuses on a narrow range of targets but prepares and conducts attacks meticulously. This methodical approach is confirmed by numerous instances of re-hacking the same organizations to expand unauthorized access.

In addition to stolen credentials, Volt Typhoon actively employs Living off the Land (LotL) techniques, leaving no obvious traces of their presence. This further complicates their detection.

The United Kingdom’s National Cyber Security Centre emphasized that such methods allow the malefactors to operate covertly, disguising their activity as legitimate behavior of systems and networks. In such conditions, they are very difficult to detect even for organizations with an advanced level of cybersecurity.