Botnet’s back, tell a friend. [Research Saturday] - CyberWire Daily

Summary

CyberWire Daily: "Botnet’s Back, Tell a Friend" [Research Saturday]

Release Date: March 8, 2025
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

Introduction

In the March 8, 2025 episode of CyberWire Daily titled "Botnet’s Back, Tell a Friend" under the Research Saturday series, host Dave Bittner engages in an in-depth conversation with Silas Cutler, Principal Security Researcher at Census. The episode delves into the intricate activities of the Volt Typhoon threat actor group, their methodologies, and the implications for cybersecurity professionals and business leaders.

Overview of Volt Typhoon

Silas Cutler provides a comprehensive overview of Volt Typhoon, a sophisticated threat actor believed to operate from the People's Republic of China. Unlike many cybercriminal groups that depend heavily on malware for persistent access, Volt Typhoon distinguishes itself by operating manually, leveraging native tools to infiltrate and navigate target networks deeply.

Notable Quote:

“Volt Typhoon generally believed to be a threat actor that operates from the People's Republic of China. They have incredibly interesting trade craft they've gone after.”
— Silas Cutler [02:13]

Indicators of Change in Operations

The conversation highlights recent shifts in Volt Typhoon's activities, particularly focusing on the KB Botnet's server infrastructure. Despite expectations following an FBI disruption, Volt Typhoon has maintained consistent SSL certificates for their first-stage malware tooling, a deviation from typical behavior where threat actors often change signatures to evade detection.

Notable Quotes:

“The certificate that they used had been consistent since pre FBI disruption and has been the way that we've been able to follow a lot of their servers since they were first exposed.”
— Silas Cutler [03:00]

“They have the techniques and they are at a skill level where they can respond well. So the working theory that a couple of us have been talking about has been that potentially this is a contract type entity...”
— Silas Cutler [05:45]

Investigation of Control Servers

Silas outlines the methodology used by Census to identify and track Volt Typhoon's control servers. Through continuous internet scanning and monitoring SSL certificates, Census identified patterns and migrations of Volt Typhoon's servers across different providers, including Chupa ASN and DigitalOcean.

Notable Quote:

“At Census we do continuous scanning of the Internet. So looking for things like the SSL certificates that websites are using, those are really important key indicators...”
— Silas Cutler [06:16]

Challenges in Attribution

Attribution remains a complex challenge. Silas emphasizes that while there's significant overlap in tradecraft between Volt Typhoon and other groups like Flax Typhoon and Salt Typhoon, definitive attribution requires iterative intelligence and collaboration across the cybersecurity community.

Notable Quotes:

“All threat intelligence is iterative. So inherently the findings that we have are built on the findings of others.”
— Silas Cutler [12:01]

“Using something like this where they're moving to breaching VPN appliances and SOHO routers as a means of building out these networks show a lot more operational maturity...”
— Silas Cutler [15:08]

Operational Security Practices

Silas discusses the advanced operational security (OpSec) measures employed by Volt Typhoon, particularly their use of non-attribution networks and strategic placement of control servers within the U.S. This approach minimizes detectable footprints and complicates efforts to disrupt their activities.

Notable Quote:

“It was surprising that even after law enforcement was able to conduct an operation to disrupt some of these servers, that they still continued to maintain these servers within the US instead of moving to, say, somewhere like the UK or another friendly country.”
— Silas Cutler [09:01]

Implications for Business Leaders

The discussion extends to the potential risks posed by Volt Typhoon to various organizations. Silas advises that all businesses, especially those in critical infrastructure sectors, must ensure their devices and networks are up-to-date with the latest patches and security practices to mitigate the risk of being leveraged inadvertently by such botnets.

Notable Quote:

“If you're a critical infrastructure provider or working in water treatment or any critical sector, there is a possibility that they may be targeted for the more espionage related purposes.”
— Silas Cutler [16:08]

Key Takeaways

Silas emphasizes the necessity for enhanced information sharing and collaborative efforts within the cybersecurity community to effectively track and counteract sophisticated threat actors like Volt Typhoon. Additionally, he calls for clearer attribution practices to better understand and respond to evolving cyber threats.

Notable Quote:

“For Volt Typhoon, it's one of those actors that's incredibly difficult to really pin down... it is one that has real national security consequences and that we need to be on the forefront of tracking incredibly closely.”
— Silas Cutler [17:28]

Conclusion

The episode concludes with a call to action for the cybersecurity community to engage in continuous research and collaboration. Silas remains hopeful that ongoing efforts will uncover more about Volt Typhoon's operations, strengthening the collective defense against such elusive and sophisticated cyber threats.

Notable Quote:

“But with this group it seems it's very odd because they have the techniques and they are at a skill level where they can respond well... it's possible that these changes haven't been made because they are a government contractor somewhere in China and it is not within the scope of their contract to make the changes.”
— Silas Cutler [05:45]

Produced By: Liz Stokes
Mixing: Elliot Peltzman and Trey Hester
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe

For more detailed insights, listeners are encouraged to access the full transcript and research materials linked in the show notes.

Summary

CyberWire Daily: "Botnet’s Back, Tell a Friend" [Research Saturday]

Introduction

Overview of Volt Typhoon

Notable Quote:

“Volt Typhoon generally believed to be a threat actor that operates from the People's Republic of China. They have incredibly interesting trade craft they've gone after.”
— Silas Cutler [02:13]

Indicators of Change in Operations

Notable Quotes:

“The certificate that they used had been consistent since pre FBI disruption and has been the way that we've been able to follow a lot of their servers since they were first exposed.”
— Silas Cutler [03:00]

“They have the techniques and they are at a skill level where they can respond well. So the working theory that a couple of us have been talking about has been that potentially this is a contract type entity...”
— Silas Cutler [05:45]

Investigation of Control Servers

Notable Quote:

“At Census we do continuous scanning of the Internet. So looking for things like the SSL certificates that websites are using, those are really important key indicators...”
— Silas Cutler [06:16]

Challenges in Attribution

Notable Quotes:

“All threat intelligence is iterative. So inherently the findings that we have are built on the findings of others.”
— Silas Cutler [12:01]

“Using something like this where they're moving to breaching VPN appliances and SOHO routers as a means of building out these networks show a lot more operational maturity...”
— Silas Cutler [15:08]

Operational Security Practices

Notable Quote:

“It was surprising that even after law enforcement was able to conduct an operation to disrupt some of these servers, that they still continued to maintain these servers within the US instead of moving to, say, somewhere like the UK or another friendly country.”
— Silas Cutler [09:01]

Implications for Business Leaders

Notable Quote:

“If you're a critical infrastructure provider or working in water treatment or any critical sector, there is a possibility that they may be targeted for the more espionage related purposes.”
— Silas Cutler [16:08]

Key Takeaways

Notable Quote:

“For Volt Typhoon, it's one of those actors that's incredibly difficult to really pin down... it is one that has real national security consequences and that we need to be on the forefront of tracking incredibly closely.”
— Silas Cutler [17:28]

Conclusion

Notable Quote:

“But with this group it seems it's very odd because they have the techniques and they are at a skill level where they can respond well... it's possible that these changes haven't been made because they are a government contractor somewhere in China and it is not within the scope of their contract to make the changes.”
— Silas Cutler [05:45]

Produced By: Liz Stokes
Mixing: Elliot Peltzman and Trey Hester
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe

For more detailed insights, listeners are encouraged to access the full transcript and research materials linked in the show notes.