The US Department of Justice and the FBI have confirmed that a court-authorized operation has disrupted a botnet of small office/home office (SOHO) routers controlled by Chinese state-backed hacker group Volt Typhoon.
The botnet, dubbed “KV Botnet,” comprised hundreds of privately-owned SOHO routers, mainly vulnerable EOL (End-of-Life) Cisco and NetGear routers. The law enforcement operation deleted the KV Botnet malware from the routers and severed their connection to the botnet, blocking communications with other devices used to control the botnet.
“The operation did not impact the legitimate functions of, or collect content information from, hacked routers. Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature. A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection,” the authorities said.
The Volt Typhoon campaign, first uncovered in May 2023, targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The threat actor gained initial access to the victims’ networks via internet-facing Fortinet FortiGuard devices, although it’s unclear how the threat actor breached the devices in the first place. Once in the network, the group obtained credentials to an Active Directory account used by the device and compromised other devices in the network.
The attacker has been observed proxying all its network traffic to its targets via compromised SOHO network edge devices, including ASUS, Cisco, D-Link, NETGEAR, and Zyxel products.
Additionally, the US Cybersecurity Agency (CISA) and the FBI released guidance to help manufacturers eliminate defects in SOHO router web management interfaces. This includes automating update capabilities, locating the web management interface on LAN-side ports, and requiring a manual override to remove security settings.