Chinese hackers went after US routers—here’s why that’s a big deal

A state-sponsored hacking group from China known as Volt Typhoon hijacked hundreds of small office and home office routers in the US. The FBI shut down the operation in January, but it’s not exactly game over for the group—their schemes have continued to brew in the background. IT Brew spoke with analysts to better understand the impact of these attacks and what that means for infrastructure in the US.

First, the TL;DR. The hackers used privately-owned small office/home office (SOHO) routers infected with the “KV-botnet” malware to further their attacks against US victims as well as victims outside of the US—while hiding their Chinese origins, according to the Department of Justice (DOJ). With these router attacks, Volt Typhoon gave leverage to the PRC by giving them access to critical US infrastructure, something they’ve managed to maintain “within some victim IT environments for at least five years,” US agency CISA also reported.

“Attacking critical infrastructure for civilian use, and only to impact civilians is a doctrinal difference between the rest of the world and the Chinese military,” Dakota Cary, a nonresident fellow at the Atlantic Council’s Global China Hub and China-focused consultant at SentinelOne, told IT Brew.

Most of the routers affected were old or outdated routers produced by Cisco and NetGear, according to the DOJ. Outdated devices are more vulnerable to attacks like this because they’re not eligible for software updates and security patches.

The latest. Anne An, a lead threat intelligence researcher at cybersecurity company Trellix, says the malicious group is still active, with her team seeing around 100 to 160 detections per day. Volt Typhoon, she explained, has a “smaller footprint” compared to other Chinese advanced persistent threat (APT) groups, which may be due to the fact they’ve only been in operation since 2021. “Overall, if I search for APT10, I’m going to get maybe 300,000 detections in one week—so that’s huge,” she said of the contrasting numbers.

She expects the group to slow down even more during Chinese New Year, which begins Feb. 10 this year.

Incognito mode. Volt Typhoon employs certain techniques that make their schemes harder to detect, like “living-off-the-land” (LOTL) techniques, similar to those that North Korean state-sponsored Lazarus Group has used in the past.

“It shows that they’re reaching into this new bracket of what I might call mature operations, where—at least in the West—we typically assign some sort of societal, cultural value to being able to operate in a deniable way,” Cary also said.

“They’re now kind of matching that attitude—at least in their operational structure—where they want to be able to move in a way that is very difficult to detect. That makes attribution very difficult,” he added.

“We know that the US and other western nations target critical infrastructure that foreign militaries depend on—and we consider attacks on infrastructures that impact military operations specifically, to be entirely acceptable, and to not fall foul of Geneva Conventions,” Cary said.

Over the last 15 years, Cary said, intelligence gathering by China has been prolific, adding that they’ve matured their operations in many ways. “I think, if anything, the Volt Typhoon campaign that we’ve been talking about is kind of a new medal on their uniform,” he said.