US continues investigation into Chinese cyber espionage campaign, as Volt Typhoon resurfaces

SecurityScorecard researchers revealed that the Chinese-affiliated threat group Volt Typhoon has rebuilt its botnet, which was disrupted by the FBI in January. In response, the U.S. government disclosed an ongoing cyber espionage campaign by China targeting commercial telecommunications infrastructure. The FBI and CISA confirmed that PRC-linked actors have compromised multiple telecom networks to steal customer call data, intercept private communications, and obtain information under U.S. law enforcement requests. Volt Typhoon has been exploiting outdated networking devices, particularly Cisco RV320/325 and Netgear ProSafe routers, as operational relay points. The STRIKE Team found that 30% of visible Cisco RV320/325 routers were compromised within 37 days, forming a covert transfer network to conceal malicious activities. The group’s infrastructure blends seamlessly into normal operations, making detection difficult.
In late 2023, Volt Typhoon launched the JDYFJ botnet, leveraging compromised routers and C2 servers across Europe to evade detection. A key VPN device in New Caledonia functions as a hidden bridge between Asia-Pacific and the Americas, enabling persistent network control. Even after global law enforcement disrupted part of its botnet, Volt Typhoon quickly reestablished new servers.
The attack techniques include using MIPS-based malware similar to Mirai, port forwarding over 8443, and webshells like fy[dot]sh for persistent access. The group targets critical infrastructure sectors, such as energy, transportation, and water, posing a significant threat to economic stability. Although Volt Typhoon does not deploy ransomware, its tactics align with Ransomware-as-a-Service (RaaS) models, reinforcing cyber risks. Moody’s latest cyber heat map reports that telecommunications, airlines, and energy sectors now face extreme cyber threats due to their reliance on digital systems and outdated infrastructure, making them prime targets for state-sponsored attacks.