The US government has disrupted a botnet operated by Chinese state-sponsored hackers known as “Volt Typhoon,” known for attacking critical infrastructure in the country.
The botnet, named ‘KV Botnet,’ had infected hundreds of small office/home office (SOHO) routers in the United States, mostly Cisco and Netgear equipment that run out of date firmware susceptible to several known vulnerabilities with publicly available exploits.
KV Botnet was used by Volt Typhoon to conceal its malicious operations, including attacks on critical infrastructure in the United States as well as other countries. Specifically, malicious traffic was routed through compromised US-based routers, so it appeared legitimate and trusted, thus less likely to be flagged or blocked.
Microsoft first identified KV Botnet in May 2023, warning about Volt Typhoon’s tactics. Later, in December, Black Lotus mapped the botnet’s activity clusters and highlighted its detection evasion mechanisms, communication protocols, and commands it could execute on breached devices.
Today, the FBI, CISA, and the US Department of Justice have announced that, through a December 2023 court-authorized operation, they have disrupted KV Botnet and removed the malware from infected routers. The authorities also took the necessary steps to block re-connections from the botnet so the cleaned devices, which still run vulnerable firmware, cannot be enslaved again.
“This operation disrupted the efforts of PRC state-sponsored hackers to gain access to US critical infrastructure that the PRC would be able to leverage during a future crisis. The operation, together with the release of valuable network defense guidance by the US government and private sector partners, demonstrates the Department of Justice’s commitment to enhance cybersecurity and disrupt efforts to hold our critical infrastructure at risk.”
Assistant Attorney General Matthew G. Olsen.
Owners of the affected routers are being notified, and the operation is said not to have interfered with legitimate router functions or collected content from the routers. The FBI continues to investigate the activities of Volt Typhoon and encourages the public to replace any end-of-life routers to prevent future compromise.
It is not improbable that Volt Typhoon, a state-sponsored hacking group occupied full-time with hacking, attempts to update its KV Botnet payload with new exploit sets for different IoT devices, diversify its communication mechanisms to target different ports, and generally refresh its arsenal to rebuild the swarm again. However, this significant disruption is bound to cost the threat group time and resources.
Botnet infections, in general, can make the performance of router devices sluggish, result in sudden and inexplicable changes in the device’s configuration, and cause frequent overheats. If you suspect a router infection, reset your device to wipe all data, apply the latest firmware update from the vendor’s download portal, and change the default credentials to something unique and strong.