SecurityScorecard researchers have uncovered an aggressive new campaign by the Chinese state-sponsored threat actor Volt Typhoon, marking a significant escalation in cyber threats targeting network infrastructure. Following the disruption of their KV botnet in late 2023, the group has strategically pivoted to rebuilding their malicious network by exploiting vulnerable enterprise-grade routers.
Unprecedented Scale of Router Compromises
The investigation reveals a concerning pattern of systematic exploitation targeting legacy network devices. Within just 37 days, the threat actors successfully compromised approximately 30% of all internet-exposed Cisco RV320/325 routers, demonstrating both their operational efficiency and the widespread vulnerability of outdated network equipment. The campaign specifically focuses on Cisco RV320/325 and Netgear ProSafe series routers, leveraging their known security weaknesses.
Advanced Technical Infrastructure and Evasion Techniques
The reconstructed botnet, codenamed JDYFJ by SecurityScorecard, employs sophisticated operational security measures to maintain persistence and evade detection. A particularly notable aspect of their infrastructure includes a compromised VPN device in New Caledonia, serving as a covert transit node between Asia-Pacific and American operations. The attackers utilize custom MIPS-based malware and deploy web shells on non-standard ports, significantly complicating detection efforts.
Critical Security Measures for Network Protection
Organizations must implement comprehensive security measures to protect against this evolving threat:
– Immediate replacement of end-of-life router models with current, supported devices
– Implementation of regular firmware update protocols
– Deployment of next-generation firewalls for network segmentation
– Disabling external management interface exposure
– Enforcement of strong authentication policies
The rapid expansion of this reconstituted botnet infrastructure represents a clear and present danger to organizational security, particularly for entities still operating legacy network equipment. The sophisticated nature of Volt Typhoon’s operations, combined with their focus on critical infrastructure targets, underscores the urgent need for proactive security measures. Organizations must prioritize infrastructure modernization and implement robust security controls to effectively mitigate these emerging threats.
