A series of investigations by cybersecurity firms and researchers have revealed a concerted effort by the Chinese state-sponsored hacking group, Volt Typhoon, to exploit vulnerabilities in end-of-life Cisco routers. This campaign appears to be part of a broader strategy targeting government entities in the United States, United Kingdom, and Australia.
Security Scorecard, a cybersecurity firm, has reported that the hacking entity is exploiting vulnerabilities in discontinued Cisco RV320/325 VPN routers. These devices, which were discontinued in 2019, are particularly vulnerable as they no longer receive software updates from Cisco. The exploited vulnerabilities, CVE-2019-1653 and CVE-2019-1652, are known issues listed in CISA’s Known Exploited Vulnerabilities catalog.
Over a 37-day period, SecurityScorecard observed that approximately 30% of the Cisco RV320/325 devices they monitored were likely compromised by Volt Typhoon. This high rate of compromise indicates a focused and effective campaign. The hackers use a previously unspecified webshell on these routers and other network edge devices, allowing them to maintain access and control over the compromised systems.
The campaign’s geographical focus includes the U.S., U.K., and Australia, with a heavy concentration of compromised devices in these regions. SecurityScorecard’s findings suggest that Volt Typhoon’s activities are more extensive than previously reported, reflecting the easy accessibility of end-of-life devices. The use of a compromised device in New Caledonia as a transit point for Volt Typhoon-related traffic underscores the group’s strategic approach to targeting global communications.
Broader Context of Chinese Cyber Activities
The pattern of targeting aligns with the broader strategy of Chinese nation-state cyber activities. The focus on Western alliance systems, including Five Eyes and AUKUS member countries, suggests a concerted effort to undermine key global players in cybersecurity and international relations.
This is part of a strategic shift in Chinese state-sponsored cyber activities, moving from data theft to targeting critical infrastructure for potential disruption or attack purposes.
Recommendations for Mitigation
Organizations are encouraged to identify vulnerable devices, particularly focusing on end-of-life Cisco RV320/325 routers. Upgrading these devices to supported products is crucial, as is continuous monitoring of network infrastructure to detect and respond to threats. Also it is important to map digital footprints and validate changes in network configurations that may introduce new security issues.
The Wrap
The Volt Typhoon campaign highlights the critical need for vigilant cybersecurity practices, especially in the face of sophisticated state-sponsored threats. The targeting of legacy systems and the exploitation of known vulnerabilities in unsupported hardware underscore the importance of maintaining up-to-date and secure network infrastructure.
As cyber adversaries continue to evolve their tactics, the global community must remain proactive in its defense strategies to protect against such advanced threats.