Federal cybersecurity experts unshackled hundreds of small office/home office (SOHO) routers across the U.S. that had been corralled into a powerful botnet controlled by China-based hackers intent on disrupting critical infrastructure.
The Justice Department said the operation disrupted the so-called KV botnet, run by Volt Typhoon, which it described as a People’s Republic of China (PRC) state-sponsored threat group.
The botnet was intended to “conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims,” the Justice Department said in a statement.
Together with the FBI, it officially confirmed the operation two days after a Jan. 29 report by news agency Reuters first revealed it had taken place.
Volt Typhoon’s activities raised alarm bells when it was revealed in May last year that the group was responsible for widespread and sophisticated hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere.
Botnet snared insecure, end-of-life routers
By routing the botnet’s activities through SOHO routers, Volt Typhoon was able to reduce its chances of detection because the gang’s malicious activities blended in with regular internet traffic in the vicinity of the facilities they were attacking.
“The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status,” the Justice Department said.
“The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.”
The takedown operation disrupted Volt Typhoon’s efforts to gain access to critical infrastructure that the PRC would be able to leverage during a future crisis, said Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division.
FBI boss worried about gang’s focus on infrastructure
“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” FBI Director Christopher Wray said.
“Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate.”
Speaking about the operation before the House Select Committee on the Chinese Communist Party, Wray said it demonstrated that the threat posed by CCP-sponsored hackers was more than simply theoretical.
“The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors,” he said.
That amounted to China taking steps “to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous”.
SOHO device vendors told to design for security
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) published guidance, prepared together with the FBI, on security design improvements for SOHO device manufacturers.
The guidance was based on the spate of recent attacks against SOHO routers, especially by Volt Typhoon, CISA said.
“CISA and FBI are urging SOHO router manufacturers to build security into the design, development, and maintenance of SOHO routers to eliminate the path these threat actors are taking to (1) compromise these devices and (2) use these devices as launching pads to further compromise U.S. critical infrastructure entities,” the agency said.
“CISA and FBI also urge manufacturers to protect against Volt Typhoon activity and other cyber threats by disclosing vulnerabilities via the Common Vulnerabilities and Exposures (CVE) program as well as by supplying accurate Common Weakness Enumeration (CWE) classification for these vulnerabilities.”
Chris Wysopal, co-founder and chief technology officer at Veracode, said combating threats from groups such as Volt Typhoon required effort from device operators as well as vendors. While vendors needed to build systems that were secure by design, operators needed to ensure they updated software, hardened configurations, and added security solutions where necessary.
“We have known for decades that foreign adversaries could attack critical infrastructure by exploiting the vulnerabilities in the software and devices used in water, power, and transportation systems,” Wysopal said. “Only in the last few years has the federal government started to tackle this vulnerability as the threats have become increasingly real. There are decades of security debt of unpatched software, poor security configurations and missing security features.”
