CyberWire Daily - Botnet’s back, tell a friend. [Research Saturday]
Episode Date: March 8, 2025This week we are joined by Silas Cutler, Principal Security Researcher at Censys, asking the important question of "Will the Real Volt Typhoon Please Stand Up?" The FBI's disruption of the KV Botnet i...n December 2023, attributed to the Chinese threat group Volt Typhoon, targeted infected systems but did not affect the botnet's control infrastructure. Despite law enforcement efforts and technical exposure, the botnet's infrastructure has remained largely stable, with only changes in hosting providers, raising questions about whether another party operates the botnet. Censys scanning data from 2024 shows a shift in the botnet's control servers, indicating a response to disruption attempts, while the botnet's operators have shown limited efforts to obscure their infrastructure. The research can be found here: Will the Real Volt Typhoon Please Stand Up? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24 7 365 with Black
Cloak. Learn more at black cloak.io
Hello everyone and welcome to the CyberWires Research Saturday. I'm Dave
Bittner and this is our weekly conversation
with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And as we kind of evaluated it more and more,
it's started to become clear that it looks like the activity that is, you know, the KD.net side likely may be a different actor or an
actor working in direct support of Volt Typhoon, but it's a different set, likely a different
set of hands-on keyboard operators than those who are actually living off the land against high value targets.
That's Silas Cutler, principal security researcher at Census.
The research we're discussing today is titled, will the real volt typhoon
please stand up?
Well, let's back up just a little bit. And for folks who aren't following it too closely, how do you describe Volt Typhoon
themselves?
Yeah.
So Volt Typhoon, generally believed to be a threat actor that operates from the People's
Republic of China.
They have incredibly interesting tradecraft.
They've gone after, and there was a report that came out a while ago from Microsoft, I believe, about Volt Typhoon conducting an intrusion into an organization in Guam.
Unlike a lot of threat actors who rely on pieces of malware to maintain persistent access to a
target, this group operates almost entirely manually, living off the land and using native
available tools in order to accomplish their objectives
and dig deep into these networks.
Well, speaking of deep dives,
I mean, you all took a deep dive into their recent activity.
What was the first indication to you all
that something had changed,
that something new was happening?
The thing that we've kind of tracked pretty closely
as part of this group is,
with their first stage malware
tooling, the side that is part of that non-attribution layer
that they use before going after a target,
the KV malware itself, the first stage server
that it communicates to, has a distinct SSL certificate.
So that ensures that the client and server
are able to talk through encrypted communication.
Following FBI disruption last year, usually that's a good time for an actor to change
up their tooling, regenerate certificates, and try and throw researchers off their tail.
But with this group, it seemed that they didn't.
The certificate that they used had been consistent
since pre-FBI disruption,
and has been the way that we've been able to follow
a lot of their servers since they were first exposed.
Well, what do you make of that?
That there weren't those changes that, you know,
folks in your position kind of come to expect.
Yeah, and it's the type of thing that we expect also
for actors who are reading the same,
reading our blogs when we post them,
or reading blogs and Twitter posts
from other folks in the security space.
It's the type of thing that folks see,
know that people are tracking on it,
and in order to maintain their own security
and prevent disruption or network blocking
and things like that,
they'll make these changes in order to try and evade
the existing detection rules that are out there.
Typically, this type of thing,
it's a fascinating spot because you'll find actors who
may not make a change for several weeks in order to make it
appear that they didn't notice or to
try and have that plausible deniability of,
oh no, that was never my control server.
But then you'll get the actors,
and sometimes on the more lower skill side,
where they'll almost immediately react
and tear everything down,
which is a good sign that you've landed
on something important of theirs.
But with this group, it seems it's very odd
because they have the techniques
and they are at a skill level where they can respond well.
So the working theory that a couple of us have been talking about has been that potentially
this is a contract type entity where they're maintaining and building the non-attribution
side with KB Botnet separate from the operators who are actually conducting the hands-on keyboard
activity.
And as a result, when you have a contract,
it may specify something like,
yeah, you won't make any distinctive changes
for a year and a half,
or whatever the duration of the contract is.
So it's possible that these changes haven't been made
because they are a government contractor somewhere in China
and it is not within the scope of their contract
to make the changes. That's really interesting. I mean, so it's kind of a it could be a practical thing rather than say swagger.
Oh absolutely. Of course, this is just a theory and there's a lot more we'll need to fully confirm it and to dig forward but
I'm hopeful that we'll see some more things in the future because this is a group that likely isn't going away anytime soon.
we'll see some more things in the future, because this is a group that likely isn't going away
anytime soon.
Well, part of your investigation was identifying
the servers that were connected to Vault Typhoon.
Can you walk us through that process of how you and your
team were able to narrow those down?
So at Census, we do continuous scanning of the internet.
So looking for things like the SSL certificates
that websites are using,
those are really important key indicators and things
that we look for in terms of being able to track and
identify related sets of infrastructure.
When we started looking at this
back at some of the servers back from 2023,
we noticed that they almost exist in pairs.
There was a set of servers over and under the chupa asm.
I'm sorry december those servers were shut down and looks like they migrated over to digital ocean and then finally in december.
Hopping once again back to chupa so.
watching it is through essentially the outer hallmarks of what their control servers look like and what services they expose and what and sort of you can
think of it almost like their externally facing fingerprint on the internet.
Yeah, I mean for folks who are interested in this kind of research can
you give us some insights as to like what are the things that you can glean
from these sorts of observations and what,
on the other hand, what stays opaque to you?
Oh, so there's a lot of things
that are really cool in this space.
And some of these things are what got me
really interested in scanning initially.
So not necessarily in the case of Volt Typhoon here,
but when we start looking at the external fingerprints
of what attackers infrastructure looks like on the internet,
there's things that we can normally find fairly easily, things like Cobalt Strike, a lot of
the open source control server frameworks like Sliver, and infrastructure is expensive.
So actors run multiple services, sometimes we'll see Cobalt Strike and Metasploit running
on the same server.
And then there's cases where actors make mistakes like everyone else, and they leave a web directory exposed
containing tools that they were intending only
to be downloaded by infected systems
as part of an automated process.
And so from our visibility, we're
able to see a lot of these really cool structures
of how attackers set up their infrastructure
and at times where they start to make mistakes, which give us incredible visibility
into how some of those things are structured.
The challenge, of course, is there's much that we can't see.
So things are behind firewalls within internal networks.
So the actual who's connecting to attack control servers,
that's often something that we don't necessarily see
from our visibility, but we can at least help
to find where to go looking for,
for organizations that are looking to protect against this.
Yeah.
While you all were in the depths of this research,
was there anything that popped up that was unexpected
or surprising, anything that really stood out to you?
So one of the things that I noted pretty early on
was it looks like for a lot of the KB first stage control
servers, they were hosting these primarily within the US.
So they were relying on US providers, which I can understand
and I can theorize on some reasons why they might do that
from, say, an operational security perspective,
potentially worrying that if they place their servers
in a foreign country country that all of this
traffic may end up as a signal to that something suspicious is going on, potentially enabling
government like the US government to use national security controls against it.
So it was interesting to see at least that level of potential forethought into where they're placing
their control servers. But it was surprising that even after
law enforcement was able to conduct an operation to disrupt some of these servers,
that they still continued to maintain these servers within the US instead of
moving to say somewhere like the UK or another friendly country.
We'll be right back.
Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Your business needs AI solutions that are not only ambitious but also practical and
adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
You know, when we're talking about attribution, attribution can be notoriously
difficult.
What's your level of confidence that these activities are, indeed, Volt Typhoon?
Yeah, that's a great question.
So I like to say that all threat intelligence is iterative, so inherently the findings that
we have are built on the findings of others.
A lot of the information that we have about Vault Typhoon, and I can't
say enough good things about the research team at Lumen, they've done incredible work on detailing
a number of different campaigns from the KB botnet and looking at a number of this sort of
different sub-botnets within it and how those operate. So a lot of our analysis building upon
things from Lumen and then
before that things from Microsoft. So as we've all continued to look at these
things there's been distinctive overlaps in terms of tradecraft that we're seeing
from other groups, groups like Flax Typhoon and Salt Typhoon, where they're
using similar sets of sort of like operational designs. So using these
non-attribution networks built on exploitation
of vulnerable SOHO devices, vulnerable VPN devices
to use as hot points in order to move
against their actual targets.
And while that's not necessarily exclusive to China theme,
it is one that has been really, really interesting
to watch develop as part of their offensive ecosystem
over the past year
I was incredibly impressed with something that I saw a couple days ago
In in some of the reporting on flax typhoon where the FBI had found a patent in the Chinese patent database for flax
typhoon which became one of the one of those evidence pieces they used to kind of link finally to the
Integrity tech group which I believe that's the name for Flax Typhoon.
Wow, that's interesting.
I don't know that a patent database was a place
I would have thought about searching around for.
Isn't that fascinating?
It was not on my bingo card,
and I have spent hours now looking at similar patents
and trying to learn how to properly read patents.
Yeah, that's really interesting.
Do groups like this,
I mean, looking at Volt Typhoon specifically,
but also in general,
to what degree are they trying to cover their tracks?
It seems like a lot of it is trying to cover their tracks.
So especially with using these non-attribution networks,
it is a really key way for them to avoid some of
the more like historic operational security mistakes that have been made. these non-attribution networks, it is a really key way for them to avoid some of the, I see
as some of the more like historic operational security mistakes that have been made.
When I first started doing threat intelligence research, I worked with a gentleman named
Joe Stewart from SecureWorks, and he had just put out a blog post on something called hTran,
which was a proxy tool that had an unfortunate vulnerability in it, for lack of a better
description, where similar types set up,
and if Tacker would be able to set up HTRAN
on a, potentially on a US server,
route infected systems to call back to that US server,
and then it would redirect the traffic behind the scenes
to wherever they were in China.
But unfortunately, if they shut down their home computer
or turned off wherever their
system was in China or wherever they're working, it would send an error message back to the
infected system saying, hey, the IP address you're trying to connect to is not available.
And it would be the attacker's true IP address.
Oh, my.
So it was a horrible, horrible operational security leak for them for a while.
And I built a number of systems just to keep hunting for those really cool tidbits.
But using something like this where they're moving
to breaching VPN appliances and so on routers
as a means of building out these networks
show a lot more operational maturity
and something that is a time-tested practice
and something that is a little bit more resilient
to a lot of the mistakes of the past.
It still carries risk because they're using
sort of a common tool,
this being KB botnet, across these devices.
So there is the linkage of being able to say,
it's likely a common party all using these things,
but it still avoids some of the traditional pitfalls.
To what degree do you think folks,
and I'm thinking of business leaders here,
should they be concerned about Volt Typhoon? Is this a nation-state
espionage concern, or to what degree does it trickle down to the day-to-day
thoughts of someone who's running an organization?
Yeah, so guidance from folks like CISA, the National Security Agency here in the US,
have talked about this being distinctly espionage related and having national security level concerns, which for business
leaders may not be something they feel is directly within their scope to manage. But there's kind of
two interesting folds to this. So if you're a critical infrastructure provider or working in
water treatment or any critical sector,
there is a possibility that they may be targeted
for the more espionage related purposes,
but even for organizations that have a presence on the internet
or using SOHO routers and NVPN appliances
and most standard technology,
it's important to make sure that those devices are being
kept up to date with patches and best security practices because inherently it's possible
that they may be used or leveraged unwillingly to support Volt Typhoon or another typhoon
as part of one of their attacks, which can be a massive headache for an organization
to deal with because they'd be in the position of both having to do
forensics to identify what happened, as well as try and
assist with another significant incident going on.
What are the key takeaways you want folks to get from
this particular research?
Yeah, so especially for the research community,
there's a lot that I think we need to look at in terms of
trying to better divide out these sets and lay out our attribution in a very more clear, concise way
across the industry. So for Volt Typhoon, it's one of those actors that's incredibly difficult
to really pin down because the activity that we see against their core targets, the critical infrastructure,
they use very few tools
that are uniquely attributable to them.
And so they are a difficult actor to pin down,
but it's one that has real national security consequences
and that we need to be on the forefront
of tracking incredibly closely.
And that's gonna require a lot of information sharing
and folks being willing to talk about their assessments,
right or wrong, and work on them together.
Our thanks to Silas Cutler from Census for joining us.
The research is titled, Will the Real Volt Typhoon Please Stand Up?
We'll have a link in the show notes.
That's Research Saturday brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes, we're mixed by
Elliot Peltsman and Trey Hester. Our executive producer is Jennifer Ibane, Peter Kilpey is
our publisher. I'm Dave Bittner. Thanks for listening. We'll see you back here next time.