The disruption of a botnet and the seizure of internet domains selling a remote access trojan have recently turned the cybersecurity focus on the detection of stealth methods deployed by state sponsored and financially motivated actors. Described as the defining threat of our generation a botnet known as Volt Typhoon linked to the People’s Republic of China was disrupted by an international consortium of law enforcement agencies. And two individuals have been arrested in a separate investigation on charges of conspiracy to commit computer intrusion offences stemming from the sale of a remote access trojan.

1. Introduction

The United States Department of Justice has announced the disruption of “a sweeping Chinese cyber-spying operation” that targeted American infrastructure and could be used against the U.S. in a geopolitical crisis. “The operation weeded out malicious Chinese software from a network or ‘botnet’ of hundreds of compromised U.S. routers,” said journalists Raphael Satter and James Pearson reporting for Reuters. (here) Last year, the U.S. State Department had warned that China was capable of launching cyber attacks against rail systems and oil and gas pipelines. Part of the challenge in defending against this kind of espionage is that it is more covert than regular spying operations. Traditional methods of detection such as antivirus software will not detect it. (here) In a separate investigation the U.S. justice department announced the seizure of Warzone that offered a remote access trojan for sale, a type of malware that bypasses security systems and allows an attacker to remotely control the infected computer. (here) Daniel Meli of Malta and Prince Onyeoziri Odinakachi of Nigeria have been indicted for conspiracy to commit computer intrusion offences.

2. Volt Typhoon

On January 31, 2024, the U.S. justice department announced the disruption of the Chinese-backed hacking operation that attempted to target critical infrastructure using the “KV Botnet” known in the private sector as Volt Typhoon. “China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. (here) On February 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an advisory that Volt Typhoon actors are using “living off the land” techniques on IT networks for disruptive or destructive cyber activity against critical infrastructure in the event of conflict with the United States. (here) The advisory was co-authored by seven other agencies including the United Kingdom National Cyber Security Centre and the Canadian Centre for Cyber Security. Speaking during a U.S. House of Representatives committee hearing on cyber threats posed by China, Mr. Wray described Volt Typhoon as “the defining threat of our generation”. (here and here)

On May 24, 2023, Microsoft had published a blog post titled Volt Typhoon targets US critical infrastructure with living-off-the-land techniques describing Volt Typhoon as, “focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.” (here) Reporting for CBC, Canada’s national broadcaster, James McCarten highlighted the finding in the the report that Volt Typhoon relies on stealth to maintain access to a target network blending into normal network activity by routing traffic through compromised small office and home office network equipment. (here) “Volt Typhoon rarely uses malware in their post-compromise activity,” said Microsoft. “Instead, they rely on living-off-the-land commands to find information on the system, discover additional devices on the network, and exfiltrate data.” (here)

According to information disclosed by security researchers to Reuters, Volt Typhoon functions by taking global control of vulnerable devices such as routers, modems and internet-connected security cameras to hide later, downstream attacks into more sensitive targets. These remotely controlled systems, known as botnets, are of concern to security officials because they limit their visibility to cyber defenders who monitor computer networks for foreign footprints. “How it works is the Chinese are taking control of a camera or modem that is positioned geographically right next to a port or ISP (internet service provider) and then using that destination to route their intrusions into the real target,” a former official told journalists Christopher Bing and Karen Freifeld. “To the IT team at the downstream target it just looks like a normal, native user that’s sitting nearby.” (here)

3. Warzone RAT

On February 9, 2024, the U.S. justice department announced that federal authorities in Boston, Massachusetts, had seized internet domains used to sell computer malware designed to surreptitiously access and steal data from targeted computers. (here) The FBI seized the website of Warzone and three related domains that offered remote access trojans for sale. (here) Mr. Meli was indicted by a federal grand jury in the Northern District of Georgia on December 12, 2023, and Mr. Odinakachi was was indicted by a federal grand jury in the District of Massachusetts on January 30, 2024. The investigation was conducted by an international consortium of law enforcement agencies coordinated through Europol including the Malta Police Force, the Royal Canadian Mounted Police and the Australian Federal Police. (here)

A remote access trojan (RAT), sometimes called creepware, is used to remotely control an infected computer. The malware is spread through phishing emails or malicious websites and allows an attacker to access a victim’s files, steal data and monitor user bahaviour. The attacker can control the camera and microphone, take screenshots and use the infected device as a proxy to launch attacks on other devices. Remote access trojans also use techniques such as process hollowing, code injection or code obfuscation to avoid detection by antivirus software. (here) Unlike other cybersecurity threat vectors, RATs may continue to be dangerous after they are removed from a system. They can modify files and hard drives, change data, and record passwords through keylogging and screen captures that may have long lasting effects. (here) They are also known for diversity and longevity. According to Lindsay Kaye at Recorded Future, “[s]ome of the RATs have been out for ten years now, and they’re still getting used.” (here)

The indictment alleges that Mr. Meli offered malware products and services for sale through HackForums using the moniker “xVulnerable” and that he was also an administrator of an alleged online criminal enterprise called Skynet-Corporation. He purportedly offered teaching tools for sale, including an eBook, to help customers with the private RAT spreading method. The indictment asserts that the spreading method for getting “slaves” often targeted computers of gamers who have high performance hardware optimal for mining cryptocurrency. He sold the Warzone RAT and previously sold malware known as Pegasus RAT (unrelated to Pegasus spyware sold by NSO Group). The separate indictment charging Mr. Odinakachi with conspiracy to commit computer intrusion offences alleges that he provided online customer support for purchasers of Warzone RAT.

4. Conclusion

In a report titled National Cyber Threat Assessment 2023-2024, the Canadian Centre for Cyber Security identified cyber threats to critical infrastructure as increasingly likely to affect Canadians. “State sponsored actors target critical infrastructure to collect information through espionage, to pre-position in case of future hostilities, and as a form of power projection and intimidation,” the report said. “However, we assess that state-sponsored cyber threat actors will very likely refrain from intentionally disrupting or destroying Canadian critical infrastructure in the absence of direct hostilities.” (here)

It is surprising that CCCS would downplay the cybersecurity threat posed by authoritarian states. Earlier today the U.S. justice department announced the disruption of another botnet – this one controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). “Notably, this represents the third time since Russia’s unjustified invasion of Ukraine that the Department has stripped the Russian intelligence services of a key tool used to further the Kremlin’s acts of aggression and other malicious activities,” said Assistant Attorney General Matthew G. Olsen. (here) It’s looking like Mr. Wray got it right.

On the Warzone front, Mr. Meli and Mr. Odinakachi were both arrested on February 7, 2024. Mr. Meli has made his initial court appearance before a magistrate judge in Valletta, Malta. According to a press release by the U.S. Attorney’s Office, District of Massachusetts, dated February 9, 2024, the Northern District of Georgia is seeking his extradition. (here) Mr. Odinakachi was arrested by the Port Harcourt Zonal Command of Nigeria’s Economic and Financial Crimes Commission and is also reportedly facing extradition. (here)