Cisco RV325

End-of-life Cisco routers targeted by China’s Volt Typhoon group

A prominent state-sponsored hacking group in China appears to be targeting end-of-life Cisco routers and network devices in the U.S., U.K. and Australia as part of a larger campaign.

A new report from SecurityScorecard’s STRIKE Team claims to have discovered new infrastructure allegedly linked to a group labeled as Volt Typhoon — a Chinese government espionage unit previously implicated in several high-profile incidents involving U.S. critical infrastructure organizations.

SecurityScorecard’s research focused on the compromise of Cisco RV320/325 devices — a line of routers the company discontinued in 2019. Sales of the devices stopped in January 2020, and the last date to receive service and support for the product is January 31, 2025.

The hackers involved in the campaign are exploiting two vulnerabilities from 2019 — CVE-2019- 1653 and CVE-2019-1652 — both of which were added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list that year.

“Approximately 30% of the Cisco RV320/325 devices observed by SecurityScorecard may have been compromised by Volt Typhoon in a 37-day period,” the researchers said.

“The STRIKE Team observed frequent connections between these devices and known Volt Typhoon infrastructure from 12/1/23 to 1/7/2024, suggesting a very active presence. Cisco has not released and will not release software updates to address the vulnerabilities described in this advisory, as the devices are end-of-life.”

The researchers found a previously unspecified webshell — tools hackers use to interact with and maintain access to a system after an initial compromise — on Cisco routers and other network edge devices targeted by the group.

SecurityScorecard noted that they “observed possible targeting of U.S., U.K., and Australian government assets by two such devices.”

“The file name and IP addresses the STRIKE Team discovered may offer further indications of Volt Typhoon’s preparation of new infrastructure, which other recent reports have also observed,” they added, noting that some recent reports on Volt Typhoon have identified efforts to compromise NETGEAR firewalls.

“Given that SecurityScorecard’s data reflects the use of NETGEAR products at the IP addresses observed and that the same IP addresses both contacted a payload server previously linked to Volt Typhoon and other IP addresses hosting US government domains, these IP addresses may not only be previously unidentified components of Volt Typhoon’s network of compromised devices, but may also reflect Volt Typhoon’s targeting of a U.S. and allied government entities.”

The researchers cited a recent report from Black Lotus Labs as further evidence that Volt Typhoon was developing new infrastructure “in preparation for a period of renewed activity.” They claimed their findings suggest that “these preparations are ongoing and extensive, as almost a third of the Cisco devices appearing in SecurityScorecard’s dataset communicated with these IoCs in a seven-day period.”

According to their research, 325 of the 1,116 possible target devices they looked at communicated with two IP addresses were previously identified by others as serving as proxies used by Volt Typhoon-linked actors.

Hardware on the mind

Callie Guenther, senior manager of cyber threat research at Critical Start, told Recorded Future News that the campaign's success in exploiting end-of-life Cisco RV320/325 devices highlights a strategic shift in targeting legacy systems.

“This approach exploits the often neglected aspect of cybersecurity — outdated hardware. Many organizations focus on software vulnerabilities while underestimating the risks associated with unsupported hardware,” she said.

“The success of Volt Typhoon in this area may encourage similar adversaries to target legacy systems, recognizing their potential as weak links in cybersecurity defenses. The sophistication and scale of the Volt Typhoon campaign imply a significant evolution in the capabilities of Chinese state-sponsored cyber groups.

She added that this evolution “not only reflects enhanced technical proficiency but also indicates a more profound understanding of global cyber infrastructure vulnerabilities.”

Other experts echoed the assessment that devices like those from Cisco continue to be compromised and used to form powerful botnet armies used by both cybercriminals and nation states.

John Gallagher, vice president of IoT security firm Viakoo, said the obsolete Cisco routers identified in the report are typically managed by people outside of IT departments and are often unaccounted for.

Gallagher theorized that the increased traffic between known Volt Typhoon infrastructure and the infected Cisco routers could be simply “exercising” the troops to ensure they are ready to be used in upcoming attacks, or ensuring that they remain operative.

FBI intelligence analyst Katie Todd said that over the last decade, they have seen a shift in what Chinese state hackers are targeting — shifting from data theft to “targeting of critical infrastructure that could be used for some sort of attack or disruption purpose as well.” This includes multiple pipelines as well as oil and gas providers, Todd said.

Both the New York Times and Washington Post have published stories over the last six months highlighting the alarm within the most senior levels of the U.S. government about discoveries related to Volt Typhoon.

U.S. officials have told both news outlets that hackers connected to China’s People’s Liberation Army have gained deep levels of access to dozens of utilities in areas around U.S. military bases in Guam, Hawaii and more.

Brandon Wales, executive director of CISA, told the Washington Post last month that it is “very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States — to affect our decision-making around a crisis.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.