Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure

The Chinese state-sponsored APT has compromised as many as 30% of Cisco legacy routers on a SOHO botnet that multiple threat groups use.

China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure.
In many instances, the threat actor, known for targeting critical infrastructure, is exploiting a couple of vulnerabilities from 2019 in routers, to break into target devices and take control of them.
Researchers from SecurityScorecards threat intelligence team spotted the activity when doing some follow-up investigations on recent vendor and
media reports
about Volt Typhoon breaking into US critical infrastructure organizations and laying the ground for potential future disruptions. The attacks have targeted water utilities, power suppliers, transportation, and communications systems. The groups victims have included organizations in the US, UK, and Australia.
One of the vendor reports, from
Lumen
, described a botnet comprised of
small office/home office (SOHO) routers
that Volt Typhoon — and other Chinese threat groups — is using as a command-and-control (C2) network in attacks against high-value networks. The network that Lumen described in the report consists mainly of end-of-life routers from Cisco, DrayTek, and, to a smaller extent, Netgear.
SecurityScorecard researchers used the indicators of compromise (IoCs) that Lumen released with its report to see if they could identify new infrastructure associated with Volt Typhoons campaign. The
investigation
showed the threat groups activity may be more extensive than previously thought, says Rob Ames, staff threat researcher at SecurityScorecard.
For example, Volt Typhoon appears to have been responsible for compromising as much as 30% — or 325 of 1,116 — of end-of-life Cisco RV320/325 routers that SecurityScorecard observed on the C2 botnet over a 37-day period. The security vendors researchers observed regular connections between the compromised Cisco devices and known Volt Typhoon infrastructure between Dec. 1, 2023 and Jan. 7, 2024, suggesting a very active operation.
SecurityScorecards digging also showed Volt Typhoon deploying fy.sh, a hitherto unknown Web shell on the Cisco routers and other network edge devices that the group is currently targeting. In addition, SecurityScorecard was able to identify multiple new IP addresses that appeared linked to Volt Typhoon activity.
SecurityScorecard used previously circulated IoCs linked to Volt Typhoon to identify the newly compromised devices we observed, the previously unspecified webshell (fy.sh), and the other IP addresses that may represent new IoCs, Ames says.
Volt Typhoon
is a threat group that the
US Cybersecurity and Infrastructure Agency (CISA)
has identified as a state-sponsored Chinese threat actor targeting US critical infrastructure sectors.
Microsoft
, the first to report on the group back in May 2023, has described it as being active since at least May 2021, being based in China, and conducting large-scale cyber espionage using a slew of living-off-the-land techniques. The company has assessed the group as developing capabilities to disrupt critical communications capabilities between the US and Asia during potential future conflicts.
Ames says Volt Typhoons use of compromised routers for data transfers is one indication of the groups commitment to stealth.
The group often routes its traffic through these devices in order to avoid geographically based detection when targeting organizations in the same area as the compromised routers, he says. These organizations may be less likely to notice malicious activity if the traffic involved appears to originate from the area in which the organization is based.
Volt Typhoons targeting of end-of-life devices also makes a lot of sense from the attackers perspective, Ames says. There are some 35 known critical vulnerabilities with a severity rating of at least 9 out of 10 on the CVSS scale — including two in CISAs Known Exploited Vulnerabilities catalog — associated with the Cisco RV320 routers that Volt Typhoon has been targeting. Cisco stopped issuing any bug fixes, maintenance releases, and repairs for the technology three years ago, in January 2021. In addition to the Cisco devices, the Volt Typhoon-linked botnet also includes compromised legacy DrayTek Vigor and Netgear ProSafe routers.
From the perspective of the devices themselves, they’re low-hanging fruit, Ames says. Since end-of-life means that the devices producers will no longer issue updates for them, vulnerabilities affecting them are likely to go unaddressed, leaving the devices susceptible to compromise.
Callie Guenther, senior manager of cyber threat research at Critical Start, says Volt Typhoons strategic targeting of end-of-life Cisco routers, its development of custom tools like fy.sh, and its geographical and sectoral targeting suggest a highly sophisticated operation.
Focusing on legacy systems is not a common tactic among threat actors, primarily because it requires specific knowledge about older systems and their vulnerabilities, which might not be widely known or documented, Guenther says. However, it is a growing trend, especially among state-sponsored actors who have the resources and motivation to conduct extensive reconnaissance and develop tailored exploits.
As examples, she points to multiple threat actors targeting the so-called
Ripple20 vulnerabilities
in a TCP/IP stack that affected millions of legacy IoT devices, as well as Chinese and Iranian threat groups targeting flaws in older VPN products.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure