On Wednesday, the US government announced that it had taken action to counteract the impact of the hacking campaign and dismantle a botnet made up of hundreds of small office and home office (SOHO) routers throughout the country that had been taken over by Volt Typhoon, a state-sponsored threat actor with ties to China.
At Lumen Technologies, the Black Lotus Labs team initially revealed the existence of the botnet, known as KV-botnet, in mid-December 2023. Reuters first reported on the law enforcement operation earlier this week.
“The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” the Department of Justice (DoJ) stated in a press announcement.
Volt Typhoon (also known as DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is the name given to an antagonistic group located in China that has been implicated in cyberattacks against Guam and the United States’ vital infrastructure sectors.
“Chinese cyber actors, including a group known as ‘Volt Typhoon,’ are burrowing deep into our critical infrastructure to be ready to launch destructive cyber attacks in the event of a major crisis or conflict with the United States,” Jen Easterly, the director of CISA, said.
The cyber espionage organization, which has been active since 2021, is well-known for using legal instruments and living-off-the-land (LotL) strategies to evade detection and stay hidden in target environments for extended periods of time in order to obtain sensitive data.
Another key component of its strategy is that it attempts to conceal its identity by directing traffic via routers, firewalls, and VPN gear that have been compromised on SOHO networks in an effort to mimic legitimate network activity.
To do this, advanced persistent threat actors leverage devices like Cisco, DrayTek, Fortinet, and NETGEAR as a covert data transfer network. This is made possible by the KV-botnet. It is believed that the controllers of the botnet provide their services to other hacker groups, such as Volt Typhoon.
According to a January 2024 analysis by cybersecurity company SecurityScorecard, during a 37-day period from December 1, 2023, to January 7, 2024, the botnet was in charge of breaching up to 30%, or 325 out of 1,116, of end-of-life Cisco RV320/325 routers.
According to Lumen Black Lotus Labs, “Volt Typhoon is at least one user of the KV-botnet and […] this botnet encompasses a subset of their operational infrastructure.” The botnet has also been running since at least February 2022.
In order to operate the botnet and use it as an intermediary relay node to accomplish their operational objectives, the botnet is also built to download a virtual private network (VPN) module to the weak routers and set up a direct encrypted communication channel.
Affidavits filed by the U.S. Federal Bureau of Investigation (FBI) state that “one function of the KV-botnet is to transmit encrypted traffic between the infected SOHO routers, allowing the hackers to anonymize their activities (i.e., the hackers appear to be operating from the SOHO routers, versus their actual computers in China)”.
The agency claimed that as part of its efforts to take down the botnet, it remotely sent commands to target U.S. routers using the malware’s communication protocols, erasing the KV-botnet payload and preventing re-infection. According to the FBI, all victims were informed about the operation, either directly or through their ISP in the event that contact details were unavailable.
“The court-authorized operation deleted the KV-botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the Department of Justice stated.
It’s crucial to note that the vague preventative steps used to take the routers out of the botnet are only effective in the short term and cannot withstand a reboot. Stated differently, just restarting the devices would leave them open to re-infection.
“The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors – steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous,” said Christopher Wray, the director of the FBI.
The Chinese government, however, rejected any role in the attacks in a statement provided to Reuters, calling them a “disinformation campaign” and stating that it “has been categorical in opposing hacking attacks and the abuse of information technology.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released new guidelines concurrently with the takedown, advising SOHO device manufacturers to adopt a secure by design approach during development and remove the onus from customers.
It specifically advises manufacturers to remove vulnerabilities in SOHO router online management interfaces that can be exploited, change the default device configurations to allow automatic updates, and make it necessary to manually override security settings in order to remove them.
The use of routers and other edge devices in advanced persistent threats launched by China and Russia brings to light an increasing issue that is made worse by the fact that endpoint detection and response (EDR) solutions are not supported by outdated devices and security fixes are no longer applied to them.
“The creation of products that lack appropriate security controls is unacceptable given the current threat environment,” stated CISA. “This case exemplifies how a lack of secure by design practices can lead to real-world harm both to customers and, in this case, our nation’s critical infrastructure.”
