Volt Typhoon and 4 other groups targeting US energy and defense sectors through Ivanti bugs

Several China-based hacking groups, including Volt Typhoon, are targeting a trio of vulnerabilities affecting IT giant Ivanti alongside multiple cybercriminal operations.

The Cybersecurity and Infrastructure Security Agency (CISA) and several of the world’s leading cybersecurity agencies have released warnings about the vulnerabilities — labeled CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 — due to their widespread use among governments around the world.

In a report published Thursday, Google-owned security firm Mandiant said it is tracking “multiple clusters of activity” exploiting the vulnerabilities, which impact Ivanti Connect Secure and Ivanti Policy Secure gateways.

The researchers said that in February, they began tracking a group it believes to be Volt Typhoon, which overlaps with TAG-87 and BRONZE SILHOUETTE, targeting the energy and defense sectors in the U.S. Four other China-based groups have been identified exploiting the bugs since they were publicly disclosed by Ivanti on January 10. 

“In addition to suspected China-nexus espionage groups, Mandiant has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining,” the company explained, writing that in addition to the five Chinese groups, they observed three cybercriminal operations exploiting the bugs. 

The report focuses on the “five China-nexus clusters that have conducted intrusions” but only one — which they call UNC5221 — exploited CVE-2023-46805 and CVE-2024-21887 before they were disclosed by Ivanti. 

Mandiant said that it did not see any instances where Volt Typhoon was successful in compromising Ivanti Connect Secure.

“Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024,” they said. “Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure.”

The other groups used a variety of strains of malware if they successfully compromised an organization — including malware families Mandiant named TERRIBLETEA, PHANTOMNET, TONERJAM, SPAWNSNAIL, SPAWNMOLE and more.

During incident investigations, Mandiant discovered four distinct malware families that it believes are used together to create backdoors that are “stealthy and persistent” — enabling  long-term access and detection avoidance. 

The hackers used their intrusion to pivot deeper into the network of victims, often moving on to compromise tools from Microsoft and VMware. 

Patches for all three vulnerabilities are currently available. The Mandiant report comes one day after Ivanti’s CEO pledged a slate of changes to the company’s operations following months of high-profile incidents affecting governments around the world.