What is a Volt Typhoon?

About Volt Typhoon

• It is a state-sponsored hacking group based in China that has been active since at least 2021. 
• The group typically focuses on espionage and information gathering. 
• It has targeted critical infrastructure organizations in the US, including Guam. 
• To achieve their objective, the threat actor puts strong emphasis on stealth, relying almost exclusively on living-off-the-land techniques and hands-on-keyboard activity. 
• The recurring attack pattern of Volt Typhoon begins with initial access via exploitation of public-facing devices or services.
• Volt Typhoon employs the comparatively uncommon practice of leveraging preinstalled utilities for most of their victim interactions.
• Compromised small office/home office (SOHO) devices are used by the attackers to proxy communications to and from the affected networks.
• They issue commands via the command line to (1) collect data, including credentials from local and network systems: (2) put the data into an archive file to stage it for exfiltration: and then (3) use the stolen valid credentials to maintain persistence. 
• Volt Typhoon was a particularly quiet operator that hid its traffic by routing it through hacked network equipment, like home routers, and carefully expunging evidence of intrusions from the victim’s logs.
• This combination of behaviors makes detection especially difficult, as defenders must be able to differentiate between attacker activities and those of power users or administrative staff. 

Q1) What is a router?

A router is a physical or virtual appliance that passes information between two or more packet-switched computer networks. A router inspects a given data packet’s destination IP address, calculates the best way for it to reach its destination and then forwards it accordingly.

Source: FBI shuts down China’s ‘Volt Typhoon’ hackers targeting U.S. infrastructure

‹ ›