FBI disrupts Chinese KV Botnet targeting U.S. infrastructure

Chinese cybercriminal group Volt Typhoon targeted US critical infrastructure organizations

Recently, the Federal Bureau of Investigation (FBI) and the U.S. Justice Department carried out a major cybersecurity operation against Volt Typhoon, a state-sponsored Chinese hacking group. This organization created a network known as the KV Botnet by breaking into hundreds of small office and home office (SOHO) routers across the United States.

Malicious actions were hidden by using the compromised devices – mostly old Cisco and Netgear routers – by having them look like authentic network traffic from reliable U.S. IP addresses. Critical U.S. infrastructure sectors, such as electricity, water, transportation, and communication, were the main targets of these operations.^[1]

The hackers were able to remotely control the routers thanks to malware that was later identified as KV Botnet malware. This control was applied to enable network exploitation and reconnaissance against vital U.S. infrastructure. These actions were a part of the Chinese government's larger plan to get ongoing access to these vital networks, maybe in anticipation of future hostilities or targeted assaults.

FBI did not only disrupt the botnet and removed malware – preventive measures were implemented too

The FBI launched a clandestine operation in December to tackle this threat, starting with securing a court order. This directive gave the FBI permission to instruct the compromised devices, so cutting them off from the botnet and stopping the hackers from using them for more nefarious purposes.

In order to break the hackers' connection to the machines and prevent them from trying to reconnect, the operation entailed sending orders that terminated the VPN process that the botnet was using.

Furthermore, the FBI took action to stop these devices from getting infected again. But if the routers were restarted, all of these precautions would be for naught, and they would become vulnerable once more. The affidavit^[2] only partially disclosed the specific methods utilized to stop re-infections, but there are signs that the plan included a loop-back mechanism.

A part of a much larger campaign targeting US

This operation against the KV Botnet is part of a wider pattern where state-sponsored organizations are increasingly engaging in cyber espionage. Bronze Silhouette, another name for the Volt Typhoon gang, has been particularly aggressive in attacking vital infrastructure in the United States. In addition to routers, other network-connected devices such as IP cameras were also among the affected devices.^[3]

This botnet's interruption highlights the increasing problem caused by outdated devices that aren't receiving security upgrades. These gadgets pose a serious security danger to the general public as well as to their users. Experts advise swapping out old routers for newer models and routinely scanning for and applying security patches in order to reduce these dangers. Rebooting routers from time to time might also be beneficial because most infestations do not survive a reset.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released guidelines^[4] to SOHO router makers in response to these threats. The significance of protecting these devices from persistent attacks is emphasized by this advice, which also suggests automated security upgrades and by default limiting access to web administration interfaces to local networks.

The U.S. authorities' effective takedown of the KV Botnet is a major step against state-sponsored cyber attacks, especially those that aim to compromise vital national infrastructure. In addition to eliminating an immediate threat, the operation brought attention to the ongoing difficulties and essential precautions in protecting outdated and susceptible network equipment.