ClickCease Volt Typhoon Malware: US Critical Infrastructure Breached

Volt Typhoon Malware: US Critical Infrastructure Breached

Wajahat Raja

February 22, 2024 - TuxCare expert team

In a recent revelation, the U.S. government disclosed that the Chinese state-sponsored hacking group, Volt Typhoon has surreptitiously infiltrated critical infrastructure networks within the country for a staggering five-year period. This embedded malware operation by Volt Typhoon targeted sectors vital to the nation, including communications, energy, transportation, and water and wastewater systems in both the U.S. and Guam.


US Infrastructure Vulnerabilities – Unconventional Tactics Raises Alarms

The U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), expressed concern over
Volt Typhoon‘s atypical tactics. Unlike conventional cyber espionage activities, the Volt Typhoon exhibited a unique pattern of behavior, raising suspicions about their true intentions. 

The assessment posits that the Volt Typhoon is strategically positioning itself on IT networks, laying the groundwork for potential disruptive or destructive cyber attacks on U.S. critical infrastructure security during a major crisis or conflict.

International Collaboration Validates Concerns

The gravity of the situation is underscored by a joint advisory from the U.S. and its intelligence allies, the Five Eyes (FVEY) alliance, consisting of Australia, Canada, New Zealand, and the U.K. This international collaboration reinforces the severity of the threat posed by
Volt Typhoon and the need for a unified response. This goes to show that infrastructure security breaches can have devastating consequences, compromising sensitive data and disrupting critical operations.

Volt Typhoon: A Stealthy Adversary

Formerly known as Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite,
Volt Typhoon operates as a covert China-based cyber espionage group, active since June 2021. Its existence came to light in May 2023 when FVEY and Microsoft disclosed the group’s persistent infiltration into critical infrastructure organizations in the U.S. and Guam, utilizing sophisticated living-off-the-land (LotL) techniques.

Living Off the Land: A Stealthy Tradecraft

Volt Typhoon
‘s utilization of “living off the land” techniques allows it to operate discreetly, seamlessly blending malicious activity with legitimate system and network behavior. This craftiness makes it challenging for even organizations with mature security postures to detect and differentiate their activities.

Cloaked Origins: The Role of Multi-hop Proxies

To conceal its true origins,
Volt Typhoon employs multi-hop proxies, such as the KV-botnet, to route malicious traffic through compromised routers and firewalls in the U.S. This tactic adds an extra layer of complexity, making it difficult to trace the source of such persistent threats.

CrowdStrike Report Highlights Strategic Approach

A report by cybersecurity firm CrowdStrike in June 2023 shed light on
Volt Typhoon‘s strategic approach. The group relies on an extensive arsenal of open-source tools tailored to a specific set of victims, demonstrating a calculated and targeted methodology. Their pre-exploitation reconnaissance efforts ensure a deep understanding of the target environment, enabling tailored tactics and procedures for long-term persistence.

Persistent Pursuit of Administrator Credentials

Volt Typhoon
‘s modus operandi involves exploiting privilege escalation flaws to obtain administrator credentials within the network. This elevated access then facilitates lateral movement, reconnaissance, and full domain compromise. 

The ultimate goal is to maintain access to compromised environments, systematically re-targeting them over years to validate and expand unauthorized accesses. Hence, organizations must remain vigilant against Advanced Persistent Threats (APTs) to safeguard their digital assets and maintain operational integrity.


Undetected Persistence and Operational Security


Volt Typhoon distinguishes itself by its focus on stealth and operational security, evading cyberattack detection for prolonged periods. The group’s strong emphasis on targeted log deletion conceals its actions within compromised environments, ensuring long-term, undiscovered persistence.

Citizen Lab Exposes Widespread Influence Campaign

Coinciding with these revelations, the Citizen Lab uncovered a network of 123 websites impersonating local news outlets across 30 countries, engaging in a widespread influence campaign. Linked to a Beijing PR firm named Shenzhen Haimaiyunxiang Media Co., Ltd., the operation, dubbed PAPERWALL, mirrors similarities with HaiEnergy, employing different operators and unique tactics, techniques, and procedures (TTPs).

Response from China’s Embassy

In response to these allegations, a spokesperson for China’s embassy in Washington dismissed the accusations as biased and a double standard. They argue that labeling pro-China content as
“disinformation” while considering anti-China information as “true” reflects a prejudiced perspective.



The revelation of Volt Typhoon‘s infiltration into U.S. critical infrastructure underscores the evolving nature of cybersecurity threats facing nations worldwide. Addressing these challenges requires a concerted effort from governments, cybersecurity agencies, and private sector partners. 

By enhancing collaboration and investing in robust defense mechanisms, we can better safeguard our systems from any malicious software and mitigate the risk posed by sophisticated threat actors like the Volt Typhoon.

The sources for this piece include articles in The Hacker News and Reuters

Volt Typhoon Malware: US Critical Infrastructure Breached
Article Name
Volt Typhoon Malware: US Critical Infrastructure Breached
Learn about the stealthy infiltration of Volt Typhoon into US critical infrastructure for over 5 years and know more about its implications.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter