U.S. Feds Shut Down China-Linked “KV-Botnet” Targeting SOHO Routers

By neub9
4 Min Read

The U.S. government has neutralized a botnet containing hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon, mitigating the impact posed by the hacking campaign.

The existence of the botnet, named KV-botnet, was first disclosed by the Black Lotus Labs team at Lumen Technologies in mid-December 2023 and was reported by Reuters earlier this week.

“The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status,” the Department of Justice (DoJ) said in a press statement. Volt Typhoon (aka DEV-0391, Bronze Silhouette, or Vanguard Panda) is a China-based adversarial collective attributed to cyber attacks targeting critical infrastructure sectors in the U.S. and Guam.

The cyber espionage group, active since 2021, is known for its reliance on legitimate tools and living-off-the-land (LotL) techniques to fly under the radar and persist within victim environments to gather sensitive information.

Another important aspect of its modus operandi is that it tries to blend into normal network activity by routing traffic through compromised SOHO network equipment, including routers, firewalls, and VPN hardware, in an attempt to obfuscate their origins.

This is accomplished by means of the KV-botnet, which hijacks devices from Cisco, DrayTek, Fortinet, and NETGEAR for use as a covert data transfer network for advanced persistent threat actors. It’s suspected that the botnet operators offer their services to other hacking outfits, including Volt Typhoon.

In January 2024, a report from SecurityScorecard revealed how the botnet has been responsible for compromising as much as 30% of end-of-life Cisco RV320/325 routers over a 37-day period.

“Volt Typhoon is at least one user of the KV-botnet and […] this botnet encompasses a subset of their operational infrastructure,” Lumen Black Lotus Labs said, adding the botnet “has been active since at least February 2022.”

The botnet is also designed to download a virtual private network (VPN) module to the vulnerable routers and set up a direct encrypted communication channel to control the botnet and use it as an intermediary relay node to achieve their operational goals.

“One function of the KV-botnet is to transmit encrypted traffic between the infected SOHO routers, allowing the hackers to anonymize their activities,” according to affidavits filed by the U.S. Federal Bureau of Investigation (FBI).

As part of its efforts to disrupt the botnet, the agency said it remotely issued commands to target routers in the U.S. using the malware’s communication protocols to delete the KV-botnet payload and prevent them from being re-infected.

“The court-authorized operation deleted the KV-botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the DoJ added.

However, the Chinese government, in a statement shared with Reuters, denied any involvement in the attacks, dismissing it as a “disinformation campaign” and that it “has been categorical in opposing hacking attacks and the abuse of information technology.”

Coinciding with the takedown, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published new guidance urging SOHO device manufacturers to embrace a secure by design approach during development and shift the burden away from customers.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *