Lumen's Black Lotus Team reports that the China-linked advanced persistent threat (APT) Volt Typhoon has actively targeted network edge devices since at least 2022, utilizing a sophisticated botnet named "KV." The affected assets include Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras. The primary emphasis is on small-office/home-office (SOHO) networking devices, which, often being outdated and unpatched, can potentially grant access to significant data, particularly in the context of the prevalent remote work setting.
The malicious activity witnessed notable increases in August 2023, with further advancements in sophistication reported in mid-November 2023. This aligns with earlier reports in mid-November highlighting the strategic focus of China-linked actors on edge devices.
According to separate reports from the United States government and Microsoft, the campaign is likely associated with Chinese espionage and counterintelligence efforts.