In 2023, Microsoft warned that Volt Typhoon might disrupt US-Asia communications in future crises. Microsoft said that the group had buried itself in critical infrastructure through a stealth process called “living off the land” designed to hide from antivirus software.
After US officials disrupted Volt Typhoon’s KV botnet, security researchers at Black Lotus Labs noticed that the group had been changing tactics, re-exploiting previously compromised devices such as NetGear ProSAFE hardware. Other compromised devices included Cisco RV routers, DrayTek Vigor routers, and Axis IP cameras.
In total, the botnet infected 32% of the 6,613 NetGear ProSAFE devices connected to the internet at its peak.
Originally, there were 1,500 active bots under Volt Typhoon’s control, but that number fell to 650 by mid-January 2024. The big drop in numbers came in late December, when according to Black Lotus Labs, US officials took down the command and control server of the botnet, leaving only clusters tasked with scanning and reconnaissance.
According to Black Lotus Labs, this group, along with other similar state-aligned operations will continue to use similar tactics in the future.
“We assess that this trend of utilizing compromised firewalls and routers will continue to emerge as a core component of threat actor operations, both to enable access to high-profile victims and to establish covert infrastructure,” the researchers wrote.