CyberWire Daily

Botnet’s back, tell a friend. [Research Saturday]

Mar 8, 2025

Silas Cutler, Principal Security Researcher at Censys, dives into the enigmatic Volt Typhoon and its botnet, KV. He explains how the FBI's efforts disrupted infected systems without affecting the control infrastructure, suggesting a stealthy operator behind the scenes. Analysis reveals shifts in the botnet’s control servers in response to law enforcement. The conversation also tackles the challenges of attributing cyber threats, the strategic use of U.S. hosting for disguise, and the surprising links between patent databases and cybersecurity vulnerabilities.

22:47

Creator website

Episode guests

Silas Cutler

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Volt Typhoon exhibits sophisticated operations by employing manual techniques and maintaining consistent SSL certificates for tracking, indicating strategic planning amid disruptions.

The FBI's efforts against the KV Botnet highlight the challenges of targeting infrastructure, as Volt Typhoon's servers remain elusive and largely stable despite attempts to disrupt them.

Deep dives

Understanding Volt Typhoon's Operations

Volt Typhoon is identified as a threat actor operating primarily from China, employing unique tradecraft that differentiates it from other cybercriminals. This group often conducts operations manually, using available tools within targeted networks rather than relying on traditional malware. A key aspect of their operations can be seen in their first stage malware, which communicates through a consistent SSL certificate, allowing researchers to track their servers effectively. The unusual decision to maintain this certificate after a noted disruption by the FBI suggests a level of strategic planning or contractual constraints that may limit their operational changes.

Intro

2min

Inside Volt Typhoon: A Cyber Threat Analysis

7min

Examining Botnet Control and Attribution Challenges

5min

Patents and Cybersecurity: Uncovering Hidden Threats

4min

Navigating Attribution Challenges in Cybersecurity Research

2min

This week we are joined by Silas Cutler, Principal Security Researcher at Censys, asking the important question of "Will the Real Volt Typhoon Please Stand Up?" The FBI's disruption of the KV Botnet in December 2023, attributed to the Chinese threat group Volt Typhoon, targeted infected systems but did not affect the botnet's control infrastructure.

Despite law enforcement efforts and technical exposure, the botnet's infrastructure has remained largely stable, with only changes in hosting providers, raising questions about whether another party operates the botnet. Censys scanning data from 2024 shows a shift in the botnet's control servers, indicating a response to disruption attempts, while the botnet's operators have shown limited efforts to obscure their infrastructure.

The research can be found here:

Will the Real Volt Typhoon Please Stand Up?

Learn more about your ad choices. Visit megaphone.fm/adchoices

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

CyberWire Daily

Botnet’s back, tell a friend. [Research Saturday]

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Understanding Volt Typhoon's Operations

Analyzing Server Infrastructure

Implications for Business Leaders

The research can be found here:

Remember Everything You Learn from Podcasts