Chinese state-sponsored hacking group Volt Typhoon has begun reconstructing its malware botnet network, just months after the FBI's successful takedown operation in January 2024.
The group, known for targeting critical infrastructure in the United States, is once again compromising outdated Cisco and Netgear routers to rebuild its network capabilities, according to new research from SecurityScorecard.
SecurityScorecard's threat research team observed that within just 37 days, Volt Typhoon managed to compromise approximately 30% of visible Cisco RV320/325 routers, primarily targeting devices in Asia. The hackers are specifically focusing on end-of-life network equipment that no longer receives security updates from manufacturers.
The FBI's January operation had dismantled Volt Typhoon's "KV botnet," which had infected hundreds of routers and was being used to probe US critical infrastructure sites, including facilities in Guam. The targeting of Guam raised particular concerns given rising tensions between China and the United States over Taiwan.
While the reconstructed botnet remains smaller than its predecessor, security researchers note that Volt Typhoon has become more sophisticated in its approach. The group continues to employ stealthy "living-off-the-land" techniques that allow them to maintain long-term unauthorized access to compromised networks.
Recent intelligence from the Five Eyes alliance suggests that Volt Typhoon may have maintained access to some critical infrastructure providers' networks for up to five years. British security firm Sophos has also reported ongoing conflicts with the group, along with other Chinese state-sponsored actors, dating back five years.
The resurgence of Volt Typhoon's botnet activities highlights the persistent nature of state-sponsored cyber threats and the challenges in permanently disrupting their operations. While the FBI declined to comment on the group's reported comeback, the development raises fresh concerns about the security of aging network infrastructure and its vulnerability to exploitation by advanced threat actors.