The FBI has successfully disrupted the KV-botnet, a tool used by the Chinese state-sponsored hacking group, Volt Typhoon, to evade detection during cyberattacks targeting critical U.S. infrastructure.
Volt Typhoon, also known as Bronze Silhouette, utilized this botnet to hijack hundreds of small office/home office (SOHO) devices across the U.S., masking malicious activities within legitimate network traffic to avoid detection. Compromised devices included Netgear ProSAFE, Cisco RV320 routers, DrayTek Vigor routers, and Axis IP cameras. These findings were initially linked to the Chinese threat group by Lumen Technologies’ Black Lotus Labs in December.
A recent SecurityScorecard report revealed that within just over a month, Volt Typhoon managed to compromise around 30% of all Cisco RV320/325 devices online.
FBI’s Response and Disruption Efforts
FBI Director Christopher Wray emphasized the significance of the operation, stating, “The Volt Typhoon malware allowed China to conduct pre-operational reconnaissance and network exploitation against critical infrastructure in the U.S., including communications, energy, transportation, and water sectors.” The malware was used to prepare for potential disruption or degradation of essential services that support public safety and prosperity.
The FBI’s counteroperation began on December 6, when a court-authorized operation allowed them to hack into the botnet’s command-and-control (C2) server. Once inside, FBI agents sent commands to compromised devices, severing them from the botnet and preventing the Chinese hackers from regaining access. They also issued commands to uninstall the malware’s VPN component, effectively cutting off the hackers’ control.
Many of the routers affected were outdated devices, like Cisco and Netgear models that had reached “end of life” and were no longer receiving security patches or updates. A statement from the Department of Justice highlighted that the FBI’s operation not only removed the malware but also blocked further communications between the compromised devices and the botnet.
Vendor Guidance and Securing SOHO Routers
In response to these ongoing attacks, both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance to SOHO router manufacturers. Recommendations included automating security updates, limiting access to management interfaces to local area networks (LANs) by default, and addressing security vulnerabilities during the design and development stages.
Volt Typhoon’s Broader Cyberattack Campaign
Volt Typhoon has been targeting critical U.S. infrastructure since at least mid-2021, according to a report released by Microsoft in May 2023. The group’s KV-botnet has been used to facilitate covert data transfers during cyberattacks against a variety of organizations since August 2022. Targets include U.S. military entities, telecommunications and internet service providers, and a European renewable energy company.
Conclusion
The disruption of the KV-botnet represents a significant victory for U.S. law enforcement in their efforts to combat state-sponsored cyber threats. However, it also highlights the importance of securing critical infrastructure and addressing vulnerabilities in widely used devices, especially those that have reached the end of their support lifecycle. By staying vigilant and proactive, both manufacturers and organizations can better protect their networks against sophisticated threat actors like Volt Typhoon.
