US disrupts PRC botnet used in hacking of critical infrastructure

The US Department of Justice Office of Public Affairs has announced that a December 2023 FBI operation has disrupted a botnet of hundreds of US-based small office/home office (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers.

Although the botnet malware infection targeted home and small office routers, it subsequently was used to help attack critical infrastructure organisations.

The hackers, known to the private sector as Volt Typhoon, used privately owned SOHO routers infected with the KV Botnet malware to conceal the PRC origin of further hacking activities directed against US and other foreign victims. The hacking activities included a campaign targeting critical infrastructure organisations in the United States and elsewhere that was the subject of a May 2023 advisory from the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and foreign partners including the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC).

The same activity has been the subject of private sector partner advisories in May and December 2023, as well as an additional secure by design alert released by CISA.

The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates. The court-authorised operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical infrastructure utilising a botnet,” said Attorney General Merrick B Garland. “The United States will continue to dismantle malicious cyber operations — including those sponsored by foreign governments — that undermine the security of the American people.”

As described in court documents, the US Government extensively tested the operation on the relevant Cisco and NetGear routers. The operation did not impact the legitimate functions of, or collect content information from, hacked routers. Additionally, the court-authorised steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature. A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorised will make the router vulnerable to reinfection.

The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.

Image credit: iStock.com/Chainarong Prasertthai