Source: NicoElNino via Shutterstock
China-backed cyber espionage group Volt Typhoon is systematically targeting legacy Cisco devices in a sophisticated and stealthy campaign to grow its attack infrastructure.
In many instances, the threat actor, known for targeting critical infrastructure, is exploiting a couple of vulnerabilities from 2019 in routers, to break into target devices and take control of them.
Targeting US Critical Infrastructure Sectors
Researchers from SecurityScorecard's threat intelligence team spotted the activity when doing some follow-up investigations on recent vendor and media reports about Volt Typhoon breaking into US critical infrastructure organizations and laying the ground for potential future disruptions. The attacks have targeted water utilities, power suppliers, transportation, and communications systems. The group's victims have included organizations in the US, UK, and Australia.
One of the vendor reports, from Lumen, described a botnet comprised of small office/home office (SOHO) routers that Volt Typhoon — and other Chinese threat groups — is using as a command-and-control (C2) network in attacks against high-value networks. The network that Lumen described in the report consists mainly of end-of-life routers from Cisco, DrayTek, and, to a smaller extent, Netgear.
SecurityScorecard researchers used the indicators of compromise (IoCs) that Lumen released with its report to see if they could identify new infrastructure associated with Volt Typhoon's campaign. The investigation showed the threat group's activity may be more extensive than previously thought, says Rob Ames, staff threat researcher at SecurityScorecard.
For example, Volt Typhoon appears to have been responsible for compromising as much as 30% — or 325 of 1,116 — of end-of-life Cisco RV320/325 routers that SecurityScorecard observed on the C2 botnet over a 37-day period. The security vendor's researchers observed regular connections between the compromised Cisco devices and known Volt Typhoon infrastructure between Dec. 1, 2023 and Jan. 7, 2024, suggesting a very active operation.
SecurityScorecard's digging also showed Volt Typhoon deploying "fy.sh", a hitherto unknown Web shell on the Cisco routers and other network edge devices that the group is currently targeting. In addition, SecurityScorecard was able to identify multiple new IP addresses that appeared linked to Volt Typhoon activity.
"SecurityScorecard used previously circulated IoCs linked to Volt Typhoon to identify the newly compromised devices we observed, the previously unspecified webshell (fy.sh), and the other IP addresses that may represent new IoCs," Ames says.
Living-off-the-Land Cyberattacks
Volt Typhoon is a threat group that the US Cybersecurity and Infrastructure Agency (CISA) has identified as a state-sponsored Chinese threat actor targeting US critical infrastructure sectors. Microsoft, the first to report on the group back in May 2023, has described it as being active since at least May 2021, being based in China, and conducting large-scale cyber espionage using a slew of living-off-the-land techniques. The company has assessed the group as developing capabilities to disrupt critical communications capabilities between the US and Asia during potential future conflicts.
Ames says Volt Typhoon's use of compromised routers for data transfers is one indication of the group's commitment to stealth.
"The group often routes its traffic through these devices in order to avoid geographically based detection when targeting organizations in the same area as the compromised routers," he says. "These organizations may be less likely to notice malicious activity if the traffic involved appears to originate from the area in which the organization is based."
Cyber-Targeting of Vulnerable End-of-Life Gear
Volt Typhoon's targeting of end-of-life devices also makes a lot of sense from the attacker's perspective, Ames says. There are some 35 known critical vulnerabilities with a severity rating of at least 9 out of 10 on the CVSS scale — including two in CISA's Known Exploited Vulnerabilities catalog — associated with the Cisco RV320 routers that Volt Typhoon has been targeting. Cisco stopped issuing any bug fixes, maintenance releases, and repairs for the technology three years ago, in January 2021. In addition to the Cisco devices, the Volt Typhoon-linked botnet also includes compromised legacy DrayTek Vigor and Netgear ProSafe routers.
"From the perspective of the devices themselves, they’re low-hanging fruit," Ames says. "Since 'end-of-life' means that the devices' producers will no longer issue updates for them, vulnerabilities affecting them are likely to go unaddressed, leaving the devices susceptible to compromise."
Callie Guenther, senior manager of cyber threat research at Critical Start, says Volt Typhoon's strategic targeting of end-of-life Cisco routers, its development of custom tools like fy.sh, and its geographical and sectoral targeting suggest a highly sophisticated operation.
"Focusing on legacy systems is not a common tactic among threat actors, primarily because it requires specific knowledge about older systems and their vulnerabilities, which might not be widely known or documented," Guenther says. "However, it is a growing trend, especially among state-sponsored actors who have the resources and motivation to conduct extensive reconnaissance and develop tailored exploits."
As examples, she points to multiple threat actors targeting the so-called Ripple20 vulnerabilities in a TCP/IP stack that affected millions of legacy IoT devices, as well as Chinese and Iranian threat groups targeting flaws in older VPN products.