January 11, 2024 at 10:41AM
Chinese state-sponsored hackers are targeting government entities in the US, UK, and Australia by exploiting old vulnerabilities in Cisco routers, reports SecurityScorecard. The actors likely compromised one-third of observed vulnerable devices and may operate a much larger botnet than previously believed, as indicated by connections to government sites. The attacks appear to be part of a larger concerted effort by China-linked APT groups.
After reviewing the meeting notes, the key takeaways are as follows:
– Chinese state-sponsored hackers are targeting government entities in the US, UK, and Australia by exploiting old vulnerabilities in Cisco routers, specifically the discontinued Cisco small business RV320/325 VPN routers.
– The attackers are likely part of the China-linked advanced persistent threat (APT) actor Volt Typhoon, which has compromised a significant number of vulnerable devices, potentially creating a botnet for command-and-control communication.
– Volt Typhoon is known to target small office and home office (SOHO) routers from Cisco and DrayTek, as well as other edge devices, and uses them to covertly transfer data.
– The cybersecurity firm SecurityScorecard was able to track infrastructure usage shifts and identify new IP addresses associated with Volt Typhoon-linked C&C infrastructure.
– The compromised devices may be used as a transit point for Volt Typhoon-related traffic, potentially positioning the APT in a suitable position to target global communications.
– Further investigation revealed connections to government sites in the US, UK, Australia, and India, expanding the targeting from Volt Typhoon and indicating potential involvement in larger-scale cyber espionage activities.
Let me know if you need further details or have any specific questions!