• Home
  • cyber
  • Volt Typhoon: A dozen allied agencies say China is building covert hacker networks out of everyday routers
cyber Cyber Attack

Volt Typhoon: A dozen allied agencies say China is building covert hacker networks out of everyday routers

Jan 1, 2023 2 min read
Volt Typhoon: A dozen allied agencies say China is building covert hacker networks out of everyday routers

Global Cybersecurity Agencies Warn of Shift in Chinese Hacker Tactics

A coalition of U.S. and international cybersecurity agencies including the U.K.’s National Cyber Security Centre (NCSC), CISA, the NSA, FBI, and counterparts from Australia, Canada, Germany, the Netherlands, New Zealand, Japan, Spain, and Sweden issued a joint advisory on Thursday highlighting a significant evolution in Chinese state-sponsored cyber operations.

The warning details a "widespread shift" in tactics, with Chinese hackers increasingly relying on large-scale, covert networks of compromised devices to conduct attacks. These networks, often built from hijacked Small Office/Home Office (SOHO) routers, IoT devices, and smart hardware, allow threat actors to obscure their origins, reduce costs, and evade attribution. Evidence suggests Chinese information security firms play a role in creating and maintaining these infrastructures.

The networks are used for a range of malicious activities, including reconnaissance, malware deployment, and data exfiltration. Notable examples include the Volt Typhoon group’s targeting of U.S. critical infrastructure and Flax Typhoon’s cyber espionage campaigns. One such network, Raptor Train, infected over 200,000 devices globally, demonstrating the scale and persistence of these operations.

NCSC CEO Richard Horne described China’s cyber capabilities as "eye-watering" in sophistication, with multiple covert networks in constant development. While defenses are complex, the advisory recommends proactive measures such as threat hunting, network mapping, and the use of blocklists to mitigate risks.

CISA Acting Director Nick Andersen emphasized the strategic nature of these networks, warning that Chinese state-sponsored actors are leveraging them at scale to threaten critical infrastructure. The advisory underscores the need for heightened vigilance as these tactics continue to evolve.

Source: https://cyberscoop.com/china-nexus-covert-networks-advisory/

National Counterintelligence and Security Center cybersecurity rating report: https://www.rankiteo.com/company/national-counterintelligence-and-security-center

"id": "NAT1776968748",
"linkid": "national-counterintelligence-and-security-center",
"type": "Cyber Attack",
"date": "1/2023",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"
{'affected_entities': [{'location': 'United States',
                        'name': 'U.S. critical infrastructure',
                        'type': 'critical infrastructure'},
                       {'location': 'Global',
                        'name': 'Global compromised devices',
                        'size': '200,000+ devices',
                        'type': 'devices'}],
 'attack_vector': ['compromised SOHO routers', 'IoT devices', 'smart hardware'],
 'data_breach': {'data_exfiltration': 'Yes'},
 'description': 'A coalition of U.S. and international cybersecurity agencies '
                'issued a joint advisory highlighting a significant evolution '
                'in Chinese state-sponsored cyber operations, detailing a '
                'widespread shift in tactics with hackers increasingly relying '
                'on large-scale, covert networks of compromised devices to '
                'conduct attacks. These networks are used for reconnaissance, '
                'malware deployment, and data exfiltration, including '
                'targeting critical infrastructure.',
 'impact': {'systems_affected': ['critical infrastructure',
                                 'compromised devices']},
 'lessons_learned': 'Chinese state-sponsored cyber operations are evolving in '
                    'sophistication, leveraging large-scale compromised device '
                    'networks to evade attribution and conduct malicious '
                    'activities. Proactive measures like threat hunting and '
                    'network mapping are critical for mitigation.',
 'motivation': ['cyber espionage', 'critical infrastructure disruption'],
 'post_incident_analysis': {'corrective_actions': ['threat hunting',
                                                   'network mapping',
                                                   'blocklists'],
                            'root_causes': ['compromised SOHO routers and IoT '
                                            'devices',
                                            'covert networks for evasion']},
 'recommendations': ['threat hunting', 'network mapping', 'use of blocklists'],
 'references': [{'source': 'Joint advisory by NCSC, CISA, NSA, FBI, and '
                           'international agencies'}],
 'response': {'containment_measures': ['threat hunting',
                                       'network mapping',
                                       'blocklists']},
 'stakeholder_advisories': 'Heightened vigilance and proactive cybersecurity '
                           'measures are recommended due to the evolving '
                           'tactics of Chinese state-sponsored actors.',
 'threat_actor': ['Volt Typhoon',
                  'Flax Typhoon',
                  'Chinese state-sponsored actors'],
 'title': 'Global Cybersecurity Agencies Warn of Shift in Chinese Hacker '
          'Tactics',
 'type': ['cyber espionage', 'malware deployment', 'data exfiltration']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.