Threat Intelligence

FBI sting targeted dangerous Volt Typhoon botnet, report claims

The homepage of the FBI.

Alarm over the danger Chinese threat actor Volt Typhoon poses to critical U.S. infrastructure appears to have been addressed at the highest level, with Reuters reporting the White House authorized the FBI to take down a sophisticated botnet run by the cyberespionage group.

In May last year, federal agencies and private sector researchers accused Volt Typhoon of orchestrating a major campaign aimed at compromising a wide range of critical infrastructure installations.

They said the advanced persistent threat (APT) group infiltrated facilities across a broad swathe of sectors, including government, defense, communications, IT and utilities.

To stealthily transfer data and minimize its chances of being detected, Volt Typhoon deployed a sophisticated botnet comprised of unsecured home and small business routers.

One of the botnet’s targets was a critical infrastructure organization in the U.S. territory of Guam. With tensions between China and the U.S. rising over the future of nearby Taiwan, there were fears a cyberattack on the Guam facility could be used to disrupt U.S. military capabilities in the South China Sea.

Why the FBI may have gone after an APT’s botnet

In a Jan. 29 report, Reuters said a series of meetings were held between the White House and technology industry representatives — including several telecommunications and cloud commuting companies — at which the government asked for help tracking Volt Typhoon’s activities.

Citing unnamed people familiar with the matter, including Western security officials, Reuters said the Justice Department and FBI sought and were granted legal authorization to take down the Volt Typhoon botnet.

Reuters said it approached the Justice Department and the FBI, both of which declined to comment.

While the news agency did not provide any details of the botnet-targeting operation, or its outcome, the FBI has previously had success taking down a high-profile botnet run by a criminal gang.

Last year the Bureau headed a multinational law enforcement operation that dismantled the long-established and successful Qakbot botnet, described as the criminal world’s “botnet of choice.”

After gaining access to the Qakbot infrastructure during the operation, the FBI identified over 700,000 computers worldwide, including more than 200,000 in the U.S., that were infected with the botnet malware.

By redirecting botnet traffic to servers it controlled, the agency was able to download a file onto the compromised machines that, when executed, uninstall the Qakbot malware that tethered the computers to the botnet.

Volt Typhoon’s evolving threat

The White House’s reported authorization of the operation to take down the Volt Typhoon botnet follows the Biden administration becoming increasingly concerned about cybercrime and cyberespionage.

It also follows new concerns being raised in recent weeks about Volt Typhoon’s ongoing activities.

According to a report by SecurityScorecard published this month, the threat actor has been attacking government institutions in the U.S., Australia, India, and the UK by leveraging a pair of critical vulnerabilities in end-of-life Cisco small business RV320/325 VPN routers.

SecurityScorecard said approximately 30% of the vulnerable Cisco devices it observed over a 37-day period may have been compromised by the APT group.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds