Chinese threat group Volt Typhoon used a sophisticated botnet of unsecured home and small business routers to stealthily transfer data during a major campaign targeting U.S. critical infrastructure discovered earlier this year.
The group’s actions raised alarm in the intelligence community when they were first reported in May because of the breadth and potential impact of its attacks. Organizations across a range of sectors, including government, defense, communications, IT and utilities were targeted.
One victim was a critical infrastructure organization in the U.S. territory of Guam. There were fears the breach could be a precursor to an attack aimed at disrupting U.S. military capabilities in the nearby South China Sea.
KV-botnet comprised of end-of-life routers
In a Dec. 13 post, Lumen Technologies said following the discovery of the attacks, its Black Lotus Labs division discovered Volt Typhoon — and possibly other advanced persistent threat (APT) actors — had used a botnet as a data transfer network as part of its operations.
Dubbed KV-botnet, it was a network of mainly end-of-life infected small office/home office (SOHO) routers made by Cisco, DrayTek and Netgear.
“The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework,” the researchers said. “The operators of this botnet meticulously implement tradecraft and obfuscation techniques.”
There were several advantages of building a botnet from older SOHO routers, they said, including the large number available, the lack of security measures and patching they were subjected to, and the significant data bandwidth they could handle without raising suspicion.
“Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics.”
In a separate statement, Lumen said KV-botnet had enabled Volt Typhoon to maintain secret communication channels that merged with normal network traffic, avoiding security barriers and firewalls.
“This botnet was essential for their strategic intelligence collection operations, helping them accomplish their long-term goals. The campaign targeted devices outside the reach of traditional security detection teams, [adding] an intentional layer of obfuscation for covert operations.”
Lumen said Black Lotus Labs disrupted the botnet after tracing its C2 servers and null routing, or dropping, the malicious IP addresses which blocked access to the compromised devices and stopped them being used in further attacks.
“Blocking the threat actor’s infrastructure across Lumen’s network disrupts the botnet’s ability to operate and helps combat dangerous and highly skilled nation state threats like Volt Typhoon,” said Mark Dehus, senior director of threat intelligence at Black Lotus Labs.
But the researchers warned the nature of the botnet made it hard to destroy completely.
“Since this campaign targets SOHO devices, it would be difficult to eradicate all the infected devices at once to kill the botnet. As the malware resides completely in-memory, by simply power-cycling the device the end user can cease the infection. While that removes the imminent threat, re-infection is occurring regularly.”
Lumen said to help mitigate the impact of threats like KV-botnet, businesses should be alert to substantial amounts of data leaving their networks. Home users should regularly restart their routers and install the latest security updates and patches.