FBI officials said they were able to eliminate the KV botnet used by hackers from the Chinese group Volt Typhoon (aka Bronze Silhouette, DEV-0391, Insidious Taurus and Vanguard Panda) to evade detection during attacks that target critical US infrastructure.
It is reported that Volt Typhoon used the KV malware (also known as KV-botnet) to hack and hijack hundreds of SOHO routers across the United States and used them to mix their malicious activities with normal network traffic, eventually hiding from detection.
"One of the functions of the KV botnet is to transmit encrypted traffic between infected routers, which allows hackers to anonymize their activities (that is, it seems that they are operating from SOHO routers, and not from their real computers in China)," the FBI reports.
Among the devices hacked and added to the botnet were Netgear ProSafe routers, Cisco RV320s and DrayTek Vigor, as well as Axis IP cameras, as previously reported by Black Lotus Labs researchers, who first linked this malware to a Chinese hack group in December last year.
It is also worth noting that according to a SecurityScorecard report published earlier this month, Volt Typhoon was able to capture about 30% of all Cisco RV320/325 devices available on the network, and it took hackers only about a month to do this.
Earlier, Microsoft experts wrote that in recent years, the group has gained a foothold in critical infrastructure environments throughout the United States and Guam (an island that has the status of an unincorporated organized territory of the United States, which hosts several military bases), stealing credentials, confidential information and remaining virtually unnoticed.
"The Volt Typhoon malware allowed China to hide pre-operational activities and network operations of critical infrastructure in the communications, energy, transportation, and water sectors. In other words, China has taken steps to seek out and prepare for the destruction or weakening of critical civilian infrastructure that ensures our security and stability, " said FBI Director Christopher Wray. "Therefore, together with partners, the FBI conducted a court-sanctioned network operation to block Volt Typhoon and the access that [the attackers] used."
The mentioned operation of the FBI began on December 6, 2023, when law enforcement agencies received a court order authorizing the destruction of the botnet after hacking its management servers.
Experts sent commands to the hacked devices to disconnect them from the botnet and prevent Chinese hackers from compromising them again. Another team forced the malware to remove the VPN component of the botnet from the devices and blocked hackers from using the routers to conduct further attacks.
"The vast majority of the routers that were part of the KV botnet were Cisco and NetGear devices that were vulnerable because they reached the end of their service life, meaning they no longer received security patches from the manufacturer or other updates," the US Department of Justice explains. — In a court-sanctioned operation, the KV botnet malware was removed from the routers, and additional steps were taken to break their connection to the botnet, such as blocking communication with other devices used to control the botnet."
However, it is noted that all preventive measures will cease to apply if the routers are restarted. In other words, after a reboot, the devices will again become vulnerable to attacks.
Also this week, CISA and the FBI issued guidance to manufacturers of SOHO routers, calling on them to provide protection against the ongoing attacks of the Volt Typhoon group. These recommendations include automating security updates, providing access to web-based management interfaces only over LAN, and addressing vulnerabilities during the device design and development stages.
It is reported that Volt Typhoon used the KV malware (also known as KV-botnet) to hack and hijack hundreds of SOHO routers across the United States and used them to mix their malicious activities with normal network traffic, eventually hiding from detection.
"One of the functions of the KV botnet is to transmit encrypted traffic between infected routers, which allows hackers to anonymize their activities (that is, it seems that they are operating from SOHO routers, and not from their real computers in China)," the FBI reports.
Among the devices hacked and added to the botnet were Netgear ProSafe routers, Cisco RV320s and DrayTek Vigor, as well as Axis IP cameras, as previously reported by Black Lotus Labs researchers, who first linked this malware to a Chinese hack group in December last year.
It is also worth noting that according to a SecurityScorecard report published earlier this month, Volt Typhoon was able to capture about 30% of all Cisco RV320/325 devices available on the network, and it took hackers only about a month to do this.
Earlier, Microsoft experts wrote that in recent years, the group has gained a foothold in critical infrastructure environments throughout the United States and Guam (an island that has the status of an unincorporated organized territory of the United States, which hosts several military bases), stealing credentials, confidential information and remaining virtually unnoticed.
"The Volt Typhoon malware allowed China to hide pre-operational activities and network operations of critical infrastructure in the communications, energy, transportation, and water sectors. In other words, China has taken steps to seek out and prepare for the destruction or weakening of critical civilian infrastructure that ensures our security and stability, " said FBI Director Christopher Wray. "Therefore, together with partners, the FBI conducted a court-sanctioned network operation to block Volt Typhoon and the access that [the attackers] used."
The mentioned operation of the FBI began on December 6, 2023, when law enforcement agencies received a court order authorizing the destruction of the botnet after hacking its management servers.
Experts sent commands to the hacked devices to disconnect them from the botnet and prevent Chinese hackers from compromising them again. Another team forced the malware to remove the VPN component of the botnet from the devices and blocked hackers from using the routers to conduct further attacks.
"The vast majority of the routers that were part of the KV botnet were Cisco and NetGear devices that were vulnerable because they reached the end of their service life, meaning they no longer received security patches from the manufacturer or other updates," the US Department of Justice explains. — In a court-sanctioned operation, the KV botnet malware was removed from the routers, and additional steps were taken to break their connection to the botnet, such as blocking communication with other devices used to control the botnet."
However, it is noted that all preventive measures will cease to apply if the routers are restarted. In other words, after a reboot, the devices will again become vulnerable to attacks.
Also this week, CISA and the FBI issued guidance to manufacturers of SOHO routers, calling on them to provide protection against the ongoing attacks of the Volt Typhoon group. These recommendations include automating security updates, providing access to web-based management interfaces only over LAN, and addressing vulnerabilities during the device design and development stages.
