Beginning on February 1, 2024, various press sources reported a large-scale law enforcement operation carried out in the United States (US) to counter espionage activities attributed to China-nexus Volt Typhoon, a state-sponsored advanced persistent threat (APT) which has been actively targeting small office/home office (SOHO) network edge devices.
On January 31, 2024, details about the operation were provided with an official press release of the US Attorney's Office, Southern District of Texas. This source indicates Volt Typhoon targeted Cisco and NetGear routers that had reached end of life and were subsequently vulnerable. After intrusion, Volt Typhoon included the compromised network devices in the "KV botnet." The law enforcement reportedly removed the KV botnet, disrupting the Volt Typhoon operation.
Security analysts have speculated that Volt Typhoon's campaign may be a tactical response to the rising geopolitical tension between the US and China. According to various pieces of analysis published via press, the ultimate purpose of the Chinese threat actor was to position itself for potential future targeting of the critical infrastructure in the US and potentially across the West. This assessment is also provided with the abovementioned US Attorney's Office, Southern District of Texas press release which reads "These further hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere[.]"
For prior reporting on Volt Typhoon, see our post published in December 2023.