Last month, the US government revealed that they had disrupted a cyber-spying operation by a Chinese state-sponsored cyber group called Volt Typhoon. The group has been active since 2021, and whilst there wasn’t a direct attack, it had installed malicious software that could be used against the US in a future geopolitical crisis.

What is Volt Typhoon?

The hacking group focuses on espionage and information gathering for the Chinese government. Over the last few years they have compromised thousands of internet-connected devices to create botnets that could be deployed to launch attacks on national infrastructure, including telecommunications networks and transport hubs.

How does the malware work?

Volt Typhoon was able to exploit vulnerabilities in small and end-of-life routers, firewalls and virtual private networks (VPNs) using either stolen credentials or by taking advantage of outdated technology whose security hadn’t been updated. The aim of the malware was not to cause problems immediately, rather to remain undetected in US digital infrastructure so that it could be deployed as necessary at a later date. As a result, it used “living off the land” techniques which meant it only used the resources already in the target’s operating system, rather than introducing a new, potentially discoverable file. 

Why would Volt Typhoon launch this operation?

Whilst it’s not unusual for countries to use hackers to gather intelligence about potential threats, this activity more closely resembles state sabotage. Given the recent political tensions between the US and China over Taiwan, Microsoft – who shared its concerns about Volt Typhoon in May 2023 – has ‘moderate confidence’ that the group could have been planning to sabotage US infrastructure in the case of direct conflict over Taiwan. 

What does this mean for businesses?

This particular hacking group has, to date, only targeted US infrastructure; however it’s a lesson for businesses everywhere that cybercriminals can – and will – take advantage of vulnerabilities in networks and security systems. As a result, it’s crucial to keep all software updated, to monitor your networks continuously for unusual activity, and to train staff to be wary of situations and social engineering techniques that hackers might use to access confidential information.