Chinese state-sponsored hacking group, Volt Typhoon, is reportedly targeting end-of-life Cisco routers and network devices in the U.S., U.K., and Australia, according to a report by SecurityScorecard’s STRIKE Team. The researchers found infrastructure allegedly linked to Volt Typhoon, previously implicated in high-profile incidents. The hackers exploit vulnerabilities CVE-2019-1653 and CVE-2019-1652, impacting Cisco RV320/325 routers discontinued in 2019. Approximately 30% of observed devices were compromised, suggesting an active presence. The attackers have a sophisticated strategy, focusing on legacy systems, highlighting the importance of addressing vulnerabilities in unsupported hardware.
Volt Typhoon, a Chinese government espionage unit, is reportedly targeting end-of-life Cisco routers and network devices in the U.S., U.K., and Australia, according to SecurityScorecard’s STRIKE Team. The researchers discovered new infrastructure linked to Volt Typhoon, exploiting vulnerabilities in Cisco RV320/325 routers, discontinued in 2019. The attackers leverage CVE-2019-1653 and CVE-2019-1652, compromising approximately 30% of observed devices in a 37-day period. This strategic shift focuses on exploiting unsupported hardware, emphasizing the risks associated with outdated systems in cybersecurity defenses.
The success of the Volt Typhoon campaign in exploiting end-of-life Cisco routers signifies a strategic shift towards targeting legacy systems, according to Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start. Organizations often neglect outdated hardware, underestimating the risks associated with unsupported systems. Guenther notes that Volt Typhoon’s success may encourage similar adversaries to target legacy systems, reflecting an evolution in Chinese state-sponsored cyber groups’ capabilities. The sophistication of the campaign indicates enhanced technical proficiency and a deeper understanding of global cyber infrastructure vulnerabilities.
Experts highlight the compromise of end-of-life Cisco routers, such as the RV320/325 series, as part of powerful botnet armies used by cybercriminals and nation-states. Obsolete routers, often managed by individuals outside IT departments, present a cybersecurity risk that is frequently underestimated. The increased traffic between known Volt Typhoon infrastructure and infected Cisco routers may indicate preparations for upcoming attacks or ensuring their continued operability. U.S. officials have expressed concern about Chinese state hackers’ deep access to utilities around U.S. military bases, emphasizing the shift from data theft to targeting critical infrastructure for potential disruption or attacks.
